CVE-2026-48501 - Vulnerability Details

- GitHub CLI tokens leak via `gh attestation` commands

Description

GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.

Published: 2026-05-29

Score: 7.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

GitHub CLI previously incorrectly attached the user's authorization token to HTTP requests sent to certain hosts during attestation and release verification commands. The client's host normalization logic collapsed any *.github.com subdomain to github.com, causing tokens to be sent to external domains such as tuf-repo.github.com and tuf-repo-cdn.sigstore.dev. The compromised token was therefore exposed to third‑party servers that should not have received it, enabling an adversary to impersonate the user and access GitHub resources. This flaw is categorized as CWE-863, which indicates a missing authorization requirement.

Affected Systems

Versions of the GitHub CLI (gh) prior to 2.93.0 are affected. The product is the official GitHub command‑line interface. Users running commands such as gh attestation, gh release verify, or gh release verify-asset before the fix may have sent their authentication tokens to unintended hosts.

Risk and Exploitability

The CVSS score of 7.4 classifies it as high severity; the EPSS score is not available, and it is not listed in the CISA KEV catalog. The attack exploits the client locally; an attacker would need to have access to the user's environment to trigger the vulnerable commands or observe the outbound traffic. If an attacker can observe the leaked token, they could perform unauthorized actions on GitHub in the user's behalf. While exploitation is limited to systems where the vulnerable CLI is installed and used, the potential impact of credential theft is significant, warranting prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cli

affected

Version	Status	Constraints
`< 2.93.0`	affected	—

No data.

Vendor Product Confidence Versions

Cli

100%

Version	Status	Scheme	Platform
`[0,2.93.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to GitHub CLI 2.93.0 or later to receive the fixed host‑normalization logic.
If the vulnerable CLI version was used before the fix, rotate any personal access or deploy tokens that were exposed.
If an immediate upgrade is not possible, clear the GH_ENTERPRISE_TOKEN environment variable or otherwise block the client from sending tokens to unknown hosts, and avoid using commands that trigger external metadata downloads.

Generated by OpenCVE AI on May 29, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8xvp-7hj6-mcj9	GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9

History

Fri, 29 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cli Cli cli
Vendors & Products		Cli Cli cli

Fri, 29 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.
Title		GitHub CLI tokens leak via `gh attestation` commands
Weaknesses		CWE-863
References		https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Cli Cli

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T15:14:54.975Z

Updated: 2026-05-29T17:14:30.823Z

Reserved: 2026-05-21T15:33:08.292Z

Link: CVE-2026-48501

Vulnrichment

Updated: 2026-05-29T17:14:20.776Z

NVD

Status : Awaiting Analysis

Published: 2026-05-29T16:16:31.497

Modified: 2026-05-29T16:33:43.467

Link: CVE-2026-48501

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object