Listen to this Post
CVE-2026-48501 describes a vulnerability in GitHub CLI (gh) versions prior to 2.93.0. The flaw resides in the shared HTTP client used by the gh attestation, gh release verify, and `gh release verify-asset` commands. These commands fetch TUF metadata from external hosts such as tuf-repo.github.com, tuf-repo-cdn.sigstore.dev, and artifact bundles from Azure Blob Storage. The CLI’s authentication layer automatically attaches authorization headers (tokens) to outgoing requests based on host matching. The host normalization logic collapses any `.github.com` subdomain to github.com. Consequently, a request to `tuf-repo.github.com` (a GitHub Pages site, not a GitHub API endpoint) is incorrectly treated as a request to github.com, and the user’s `github.com` OAuth token is attached. For hosts that do not match `github.com` or a known GitHub Enterprise Server instance, the resolver falls back to the `GH_ENTERPRISE_TOKEN` environment variable if set. Because the affected commands simultaneously contact these external hosts as part of normal operation, the same authenticated HTTP client sends the token to all of them. An attacker controlling any of these external hosts (e.g., a malicious TUF mirror or compromised Azure storage) could intercept the `Authorization` header and gain unauthorized access to the user’s GitHub account, repositories, and API actions. The issue is fixed in gh CLI version 2.93.0 by implementing proper host allowlisting and removing automatic token injection for non-API domains.
DailyCVE Form:
Platform: GitHub CLI
Version: <2.93.0
Vulnerability: Token header leak
Severity: Critical
date: 29 May 2026
Prediction: 2.93.0 release
What Undercode Say:
Simulate vulnerable request (pre-2.93.0) gh attestation verify <file> --repo <owner/repo> Observe token leakage via debug GH_DEBUG=api gh attestation verify <file> --repo <owner/repo> 2>&1 | grep -i "authorization" Check if token sent to tuf-repo.github.com curl -v https://tuf-repo.github.com/ 2>&1 | grep "Authorization" Exploit using malicious mirror redirect echo "Host: tuf-repo.github.com" | nc -l -p 80 & gh release verify --mirror http://localhost
Exploit:
Attacker sets up a malicious TUF mirror or controls `tuf-repo.github.com` (via GitHub Pages or DNS takeover). When victim runs `gh attestation verify` or similar command, the CLI sends the victim’s GitHub token to the attacker’s host. Attacker captures the `Authorization: Bearer
Protection:
Upgrade to GitHub CLI version 2.93.0 or later. As a workaround, unset `GH_TOKEN` and `GH_ENTERPRISE_TOKEN` before running affected commands, or use `–insecure` flag (if available) to disable automatic auth. Alternatively, run commands in isolated network environments or monitor outbound `Authorization` headers.
Impact:
Leakage of GitHub personal access tokens (classic or fine-grained) to third-party hosts (tuf-repo.github.com, sigstore.dev, Azure Blob Storage). Attackers can impersonate the victim, read/write repositories, exfiltrate code, deploy malicious actions, or escalate privileges if the token has admin or org-level scopes.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
