CVE-2026-44479

MEDIUM EPSS 5.6%

Published May 13, 20261mo ago · Modified Jun 17, 20261w ago

5.5 CVSS 3.1

Medium

Published May 13, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1.

CVSS Details

Base Score

5.5

Exploitability

1.8

Impact

3.6

Vector string

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector Local

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

5.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

CWE-532

Affected Products 1

Vendor	Product	Version	Range
vercel	vercel	*	≥50.16.0 – <52.0.1

References 1

github.com https://github.com/vercel/vercel/security/advisories/GHSA-pgf8-2hgj-grqg

MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.