CVE-2026-44479

Vercel: Non-interactive mode includes CLI arguments in suggested command output

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 13.05.2026

Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS Score: 5.5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vercel
Product	vercel
Versions	Version >= 50.16.0, < 52.0.1 is affected

Vendor

vercel

Product

vercel

Versions

Version >= 50.16.0, < 52.0.1 is affected

References

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-532: Insertion of Sensitive Information into Log File CWE

CVE-2026-44479 PUBLISHED

Vercel: Non-interactive mode includes CLI arguments in suggested command output

Metrics

Product Status

References

Problem Types