Listen to this Post
When the Vercel CLI runs in non-interactive mode—either explicitly flagged (--non-interactive) or auto‑detected because an AI agent is controlling the terminal—the tool tries to be helpful. If a command cannot complete without user input (e.g., a missing `–yes` flag, an ambiguous scope, or an API error), the CLI emits a structured JSON payload intended to guide the automation. This payload contains a `suggestedCommand` field that proposes a corrected invocation of the command.
The vulnerability arises because the `suggestedCommand` is constructed by naïvely reusing the original command line arguments. If the user authenticated by passing a token directly on the command line (--token or -t), that plaintext token is copied verbatim into the suggestion. The vulnerable logic exists in the `vercel` CLI codebase between versions `50.16.0` and 52.0.0. The critical chain of conditions is:
Token passed as CLI argument – The user must use `–token` (or -t). The `VERCEL_TOKEN` environment variable is not affected.
Non‑interactive mode active – Either by `–non-interactive` or by auto‑detection of an AI agent.
Command cannot complete autonomously – e.g., missing --yes, ambiguous scope selection, or API‑side errors.
When all three are true, the JSON payload with the leaked token is written to stdout or stderr. In CI/CD pipelines, agent transcripts, or any automation log that captures the CLI’s output, the token is exposed in plaintext. An attacker with even read‑only access to those logs (e.g., a compromised build system, a misconfigured log aggregator, or a debug output saved in an artifact) can extract the token and use it to impersonate the user, deploy unauthorized code, or access sensitive project data.
The vulnerability is rated 5.5 (Medium) with the CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, reflecting that the attack requires low complexity and local log access but can lead to high confidentiality impact. The patched version is 52.0.1.
DailyCVE Form:
Platform: Vercel CLI
Version: 50.16.0–52.0.0
Vulnerability: Token disclosure
Severity: Medium
date: 2026‑05‑13
Prediction: 2026‑04‑30
Analytics
What Undercode Say:
The following `jq` command can be used to scan existing CI/CD logs for the vulnerable pattern. It searches for JSON payloads that contain a `suggestedCommand` field referencing a `–token` argument.
Scan build logs for leaked tokens
grep -E 'vercel.--token [a-zA-Z0-9_]+' /var/log/ci-cd/build.log | jq -r 'select(.suggestedCommand != null) | .suggestedCommand'
Example vulnerable output captured in logs
{"error":"missing --yes flag","suggestedCommand":"vercel deploy --token vca_abc123 --yes"}
Secure alternative using environment variable
export VERCEL_TOKEN="vca_abc123"
vercel deploy --non-interactive --yes
Exploit
An attacker with read access to the execution logs of a compromised CI/CD tool, an AI agent transcript, or a build system can `grep` for the specific `vca_` prefix used by Vercel tokens to steal the exposed credential. The token can then be used to:
Deploy arbitrary code to the victim’s Vercel projects.
Access environment variables and secrets tied to the account.
Modify deployment configurations.
Impersonate the user in any API action.
No public exploit code exists, but the attack is trivial once logs are accessible.
Protection
Upgrade – Install Vercel CLI version 52.0.1 or later.
Rotate exposed tokens – If `–token` was ever used with --non-interactive, assume the token is compromised and revoke it immediately.
Use environment variables – Always authenticate with `VERCEL_TOKEN` instead of CLI arguments.
Sanitize logs – Regularly scan and sanitize CI/CD and system logs to remove residual secrets.
Impact
| Area | Impact |
||–|
| Confidentiality | High – Bearer tokens exposed in plaintext. |
| Integrity | None – Token disclosure does not directly alter data. |
| Availability | None – No disruption of service. |
| Scope | Unauthorized access to Vercel projects, deployments, and environment variables. |
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
