SB20260528250 - Improper Authorization in GitHub CLI
Published: May 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Authorization (CVE-ID: CVE-2026-48501)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the shared HTTP client authentication layer when handling requests to TUF repository mirrors and external artifact hosts. A remote attacker can cause the GitHub CLI to send authentication tokens in outbound requests to disclose sensitive information.
The issue affects `gh attestation`, `gh release verify`, and `gh release verify-asset` commands during their normal retrieval of TUF metadata and artifact bundles.
Remediation
Install update from vendor's website.