Description
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.
Published: 2026-05-15
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in GitHub CLI allows a malicious actor to inject terminal escape sequences into workflow logs that are displayed when a user runs `gh run view`, `gh run view --log`, or `gh run view --log-failed`. These unescaped control sequences can alter the terminal window title, overwrite on‑screen content, or in certain terminal emulators such as "screen" potentially trigger arbitrary command execution. Because the vulnerability exists only in the client‑side display of logs, the attacker must have the ability to influence the log content, typically via a workflow triggered by a pull request authored by the attacker. The CVSS score of 3.5 indicates a low severity, reflecting that the risk depends on both the attacker’s ability to inject log data and the victim’s local terminal environment. Nonetheless, the potential for command execution in vulnerable terminals warrants careful consideration.

Affected Systems

The affected product is GitHub CLI (cli:cli). Versions from 1.6.0 up to, but not including, 2.92.0 are vulnerable. The issue was fixed in release 2.92.0, which sanitizes log output before it is streamed to the terminal or pager.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need to supply a malicious workflow that writes controlled log lines; they then have to run a vulnerable `gh run view` command locally to trigger the injection. While the risk of remote exploitation is low, the use of certain terminal emulators could allow local command execution, making the vulnerability non‑trivial for users who view logs in those environments.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub CLI to version 2.92.0 or later.
  • Restrict workflow log output by sanitizing or removing escape sequences; for example, configure workflows to avoid echoing control characters or use safe logging commands.
  • Temporarily redirect log output to a file (e.g., `gh run view --log > logfile`) and inspect the file with a text editor to avoid terminal emulator interpretation.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-crc3-h8v6-qh57 GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
History

Tue, 02 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 22 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github cli
CPEs cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*
Vendors & Products Github
Github cli

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Cli
Cli cli
Vendors & Products Cli
Cli cli

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description `gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.
Title gh: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
Weaknesses CWE-150
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Cli Cli
Github Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T17:48:01.444Z

Reserved: 2026-05-13T08:19:32.604Z

Link: CVE-2026-45803

cve-icon Vulnrichment

Updated: 2026-05-15T17:47:54.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-15T16:16:15.280

Modified: 2026-05-21T23:47:57.277

Link: CVE-2026-45803

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-15T15:26:56Z

Links: CVE-2026-45803 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:01:38Z

Weaknesses