Description
GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.
Published: 2026-05-29
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitHub CLI previously incorrectly attached the user's authorization token to HTTP requests sent to certain hosts during attestation and release verification commands. The client's host‑normalization logic collapsed any *.github.com subdomain to github.com, causing tokens to be sent to external domains such as tuf‑repo.github.com and tuf‑repo‑cdn.sigstore.dev. The compromised token was therefore exposed to third‑party servers that should not have received it, which is an information‑exposure flaw (CWE-551) and also a missing‑authorization flaw (CWE-863). This allowed an attacker who could observe the traffic or run the vulnerable CLI to obtain a bearer token and impersonate the user on GitHub.

Affected Systems

Versions of the GitHub CLI (gh) prior to 2.93.0 are affected. The product is the official GitHub command‑line interface. Users running commands such as gh attestation, gh release verify, or gh release verify-asset before the fix may have sent their authentication tokens to unintended hosts.

Risk and Exploitability

The CVSS score of 7.4 classifies it as high severity; the EPSS score is less than 1%, and it is not listed in the CISA KEV catalog. The flaw can be exploited locally; an attacker needs remote access to the user's machine or the ability to view outbound traffic to trigger the vulnerable commands or capture the leaked token. Once captured, the token can be used to perform unauthorized actions on GitHub, constituting both an information‑exposure and a missing‑authorization vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GitHub CLI 2.93.0 or later to receive the fixed host‑normalization logic.
  • If the vulnerable CLI version was used before the fix, rotate any personal access or deploy tokens that were exposed.
  • If an immediate upgrade is not possible, clear the GH_ENTERPRISE_TOKEN environment variable or otherwise block the client from sending tokens to unknown hosts, and avoid using commands that trigger external metadata downloads.

Generated by OpenCVE AI on June 18, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8xvp-7hj6-mcj9 GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 03 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github cli
CPEs cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*
Vendors & Products Github
Github cli

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Cli
Cli cli
Vendors & Products Cli
Cli cli

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.
Title GitHub CLI tokens leak via `gh attestation` commands
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Cli Cli
Github Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T17:14:30.823Z

Reserved: 2026-05-21T15:33:08.292Z

Link: CVE-2026-48501

cve-icon Vulnrichment

Updated: 2026-05-29T17:14:20.776Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-29T16:16:31.497

Modified: 2026-06-03T21:06:15.150

Link: CVE-2026-48501

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-29T15:14:54Z

Links: CVE-2026-48501 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:45:16Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

  • CWE-863

    Incorrect Authorization