CVE-2026-8767: Vercel AI RCE Vulnerability

CVE-2026-8767 Overview

CVE-2026-8767 is an OS command injection vulnerability affecting Vercel AI versions up to 3.0.97. The flaw resides in the run function of the .github/workflows/prettier-on-automerge.yml workflow file, specifically in the PR Branch Name Interpolation component. An attacker can manipulate a pull request branch name to inject shell commands that execute inside the GitHub Actions runner. The attack can be initiated remotely, but exploitation complexity is high and the conditions for successful execution are difficult to meet. The exploit has been publicly disclosed. The vendor was contacted but did not respond.

Critical Impact

Successful exploitation enables arbitrary OS command execution within the GitHub Actions runner context, potentially exposing repository secrets and CI/CD tokens.

Affected Products

• Vercel AI versions up to and including 3.0.97
• The .github/workflows/prettier-on-automerge.yml workflow file
• The PR Branch Name Interpolation component within the workflow

Discovery Timeline

• 2026-05-17 - CVE-2026-8767 published to NVD
• 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2026-8767

Vulnerability Analysis

The vulnerability is classified under [CWE-77] Improper Neutralization of Special Elements used in a Command. It originates in a GitHub Actions workflow named prettier-on-automerge.yml, which automates Prettier formatting on pull request branches.

The workflow interpolates the pull request branch name directly into a shell command using GitHub Actions expression syntax such as ${{ github.head_ref }}. Because branch names accept a broad character set, an attacker controlling the source branch name can embed shell metacharacters. When the workflow executes, those metacharacters are evaluated by the underlying shell rather than treated as literal text.

The attack surface is limited to repositories that trigger this workflow on untrusted pull requests. Exploitation requires the workflow to run against attacker-controlled refs, which contributes to the high attack complexity.

Root Cause

The root cause is unsafe string interpolation of untrusted Git reference data into a shell run step. GitHub Actions documentation explicitly warns against using ${{ ... }} expressions inside run blocks for untrusted inputs because the expression is substituted before the shell parses the command. The workflow did not pass the branch name through an environment variable or apply input validation prior to use.

Attack Vector

An attacker creates a fork of the repository and opens a pull request from a branch whose name contains shell payload syntax. When the targeted workflow triggers on the pull request event, the malicious branch name is concatenated into a shell command and executed on the GitHub-hosted runner. The attacker can then exfiltrate secrets available to the workflow or modify build artifacts.

No authenticated access to the target repository is required beyond standard GitHub fork and pull request capabilities. Technical details and a proof of concept are documented in the GitHub PoC Repository and the VulDB Vulnerability #364392 entry.

Detection Methods for CVE-2026-8767

Indicators of Compromise

• Pull requests originating from branches whose names contain backticks, $(), semicolons, or pipe characters
• GitHub Actions run logs showing unexpected shell commands executed during the prettier-on-automerge job
• Outbound network connections from GitHub-hosted runners to attacker-controlled hosts during workflow execution
• Use or rotation of repository secrets immediately following a workflow run triggered by an external fork

Detection Strategies

• Audit workflow run logs for any prettier-on-automerge.yml executions and inspect the resolved branch name string
• Scan repository workflow files for ${{ github.head_ref }} or ${{ github.event.pull_request.head.ref }} used inside run blocks
• Monitor GitHub audit log events for pull requests created from forks with non-standard branch naming

Monitoring Recommendations

• Forward GitHub Actions and audit logs to a centralized monitoring platform for anomaly review
• Alert on workflow executions triggered by pull_request_target against repositories that store sensitive secrets
• Track secret access events and correlate them with the originating workflow and pull request author

How to Mitigate CVE-2026-8767

Immediate Actions Required

• Upgrade Vercel AI beyond version 3.0.97 once a fixed release is published, or remove the affected workflow until patched
• Refactor .github/workflows/prettier-on-automerge.yml to pass the branch name through an environment variable rather than interpolating it into the shell command
• Rotate any repository secrets that may have been exposed to runs triggered by external pull requests
• Restrict workflow triggers from forks using GitHub repository settings that require approval for first-time contributors

Patch Information

At the time of NVD publication, no vendor patch had been published and the maintainer did not respond to disclosure outreach. Consult the VulDB Submission #811402 and the upstream vercel/ai repository for any subsequent fix commits.

Workarounds

• Replace ${{ github.head_ref }} usage in run steps with env: mapping, then reference the variable as "$BRANCH_NAME" inside quoted shell context
• Replace pull_request_target triggers with pull_request to remove access to write-scoped tokens and secrets for forked PRs
• Enforce branch name validation in a preliminary job that rejects refs containing shell metacharacters before downstream steps run

# Configuration example: safe branch name handling in GitHub Actions
jobs:
  prettier:
    runs-on: ubuntu-latest
    steps:
      - name: Validate and use branch name safely
        env:
          BRANCH_NAME: ${{ github.head_ref }}
        run: |
          if [[ ! "$BRANCH_NAME" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
            echo "Invalid branch name"
            exit 1
          fi
          echo "Processing branch: $BRANCH_NAME"