CVE-2026-48501 Overview
CVE-2026-48501 affects GitHub CLI (gh), GitHub's official command line tool, in versions prior to 2.93.0. The vulnerability stems from improper authorization [CWE-863] in the shared authenticated HTTP client. The gh attestation, gh release verify, and gh release verify-asset commands incorrectly attach the user's github.com token to requests sent to third-party hosts. Host normalization logic collapses any *.github.com subdomain to github.com, causing token leakage to TUF repository mirrors such as tuf-repo.github.com (a GitHub Pages site), tuf-repo-cdn.sigstore.dev, and Azure Blob Storage endpoints.
Critical Impact
Authentication tokens are transmitted to external hosts during artifact verification, exposing GitHub credentials to operators of TUF mirrors and CDN endpoints.
Affected Products
- GitHub CLI (gh) versions prior to 2.93.0
- Workflows using gh attestation commands
- Workflows using gh release verify and gh release verify-asset commands
Discovery Timeline
- 2026-05-29 - CVE-2026-48501 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-48501
Vulnerability Analysis
GitHub CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and incorrectly attributes target hosts. The host resolver collapses any subdomain matching *.github.com into github.com, treating unrelated services as authenticated API endpoints. Requests to tuf-repo.github.com, a GitHub Pages site rather than a GitHub API endpoint, receive the user's github.com token. For hosts that do not match github.com or a known GitHub Enterprise Server (GHES) instance, the resolver falls back to the GH_ENTERPRISE_TOKEN environment variable when set.
Root Cause
The vulnerability originates in the host normalization logic of the CLI's authenticated HTTP client. The resolver applies a coarse string match rather than verifying that a host is an actual GitHub API endpoint. Subdomains hosting static content, third-party mirrors, and CDN assets are treated as trusted authentication targets, violating the principle of least privilege for token transmission.
Attack Vector
A user running gh attestation, gh release verify, or gh release verify-asset triggers outbound requests to multiple external hosts. The Update Framework (TUF) metadata is fetched from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev. Artifact bundles are retrieved from Azure Blob Storage. Each request passes through the same authenticated HTTP client and carries the user's GitHub token. Operators of these endpoints, or any party able to observe or intercept the traffic, can capture and reuse the leaked tokens.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-8xvp-7hj6-mcj9 for technical details.
Detection Methods for CVE-2026-48501
Indicators of Compromise
- Outbound HTTPS requests from developer workstations or CI runners to tuf-repo.github.com carrying an Authorization header.
- Outbound requests to tuf-repo-cdn.sigstore.dev or Azure Blob Storage endpoints containing GitHub bearer tokens.
- Use of gh attestation, gh release verify, or gh release verify-asset with gh versions earlier than 2.93.0.
Detection Strategies
- Inventory installed gh versions across developer endpoints and CI/CD systems and flag any release earlier than 2.93.0.
- Inspect outbound proxy or TLS-terminating gateway logs for Authorization: Bearer headers sent to non-GitHub-API hosts.
- Audit GitHub token usage logs for tokens accessed shortly after artifact verification workflows ran on untrusted networks.
Monitoring Recommendations
- Monitor process telemetry for invocations of gh attestation, gh release verify, and gh release verify-asset on outdated CLI versions.
- Alert on unexpected geographic or network sources using GitHub personal access tokens after CLI verification activity.
- Track outbound connections from CI runners to TUF and Sigstore hosts and correlate with token rotation events.
How to Mitigate CVE-2026-48501
Immediate Actions Required
- Upgrade GitHub CLI to version 2.93.0 or later on all developer workstations, build agents, and container images.
- Rotate any GitHub personal access tokens and GH_ENTERPRISE_TOKEN values used with vulnerable gh versions for attestation or release verification.
- Revoke OAuth tokens issued through gh auth login on hosts that previously executed affected commands against untrusted networks.
Patch Information
The issue is fixed in GitHub CLI 2.93.0. The patched release corrects host detection so authentication headers are attached only to verified GitHub API endpoints. Refer to the GitHub Security Advisory GHSA-8xvp-7hj6-mcj9 for release notes.
Workarounds
- Avoid running gh attestation, gh release verify, and gh release verify-asset until the CLI is upgraded.
- Unset GH_ENTERPRISE_TOKEN in environments where it is not required to prevent fallback token attachment to unknown hosts.
- Route gh traffic through an egress proxy that strips Authorization headers for non-GitHub API destinations.
# Upgrade GitHub CLI to a patched version
# macOS (Homebrew)
brew update && brew upgrade gh
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade gh
# Verify installed version is 2.93.0 or later
gh --version
# Rotate tokens after upgrade
gh auth refresh
unset GH_ENTERPRISE_TOKEN
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
