Description
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.
Published: 2026-05-15
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in GitHub CLI allows a malicious actor to inject terminal escape sequences into workflow logs that are displayed when a user runs `gh run view`, `gh run view --log`, or `gh run view --log-failed`. These unescaped control sequences can alter the terminal window title, overwrite on‑screen content, or in certain terminal emulators such as "screen" potentially trigger arbitrary command execution. Because the vulnerability exists only in the client‑side display of logs, the attacker must have the ability to influence the log content, typically via a workflow triggered by a pull request authored by the attacker. The CVSS score of 3.5 indicates a low severity, reflecting that the risk depends on both the attacker’s ability to inject log data and the victim’s local terminal environment. Nonetheless, the potential for command execution in vulnerable terminals warrants careful consideration.

Affected Systems

The affected product is GitHub CLI (cli:cli). Versions from 1.6.0 up to, but not including, 2.92.0 are vulnerable. The issue was fixed in release 2.92.0, which sanitizes log output before it is streamed to the terminal or pager.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need to supply a malicious workflow that writes controlled log lines; they then have to run a vulnerable `gh run view` command locally to trigger the injection. While the risk of remote exploitation is low, the use of certain terminal emulators could allow local command execution, making the vulnerability non‑trivial for users who view logs in those environments.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub CLI to version 2.92.0 or later.
  • Restrict workflow log output by sanitizing or removing escape sequences; for example, configure workflows to avoid echoing control characters or use safe logging commands.
  • Temporarily redirect log output to a file (e.g., `gh run view --log > logfile`) and inspect the file with a text editor to avoid terminal emulator interpretation.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description `gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.
Title gh: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
Weaknesses CWE-150
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T17:48:01.444Z

Reserved: 2026-05-13T08:19:32.604Z

Link: CVE-2026-45803

cve-icon Vulnrichment

Updated: 2026-05-15T17:47:54.476Z

cve-icon NVD

Status : Received

Published: 2026-05-15T16:16:15.280

Modified: 2026-05-15T19:17:03.017

Link: CVE-2026-45803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:00:05Z

Weaknesses