Main Vulnerability Database Vulnerabilities #VU132663

Improper Authorization in GitHub CLI - CVE-2026-48501

Published: May 28, 2026

Vulnerability identifier: #VU132663

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-48501

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitHub CLI

Affected software:
GitHub CLI

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the shared HTTP client authentication layer when handling requests to TUF repository mirrors and external artifact hosts. A remote attacker can cause the GitHub CLI to send authentication tokens in outbound requests to disclose sensitive information.

The issue affects `gh attestation`, `gh release verify`, and `gh release verify-asset` commands during their normal retrieval of TUF metadata and artifact bundles.

How to mitigate CVE-2026-48501

Install security update from vendor's website.

Sources

https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9

Improper Authorization in GitHub CLI - CVE-2026-48501

Detailed vulnerability description

How to mitigate CVE-2026-48501

Sources

Please verify you're human