CVE-2026-44479

5.5 MEDIUM

Vercel’s AI Cloud is a unified platform for building modern applications

Published: 2026-05-13 · Last updated: 2026-06-04

Severity and scoring

CVSS: 5.5 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-200, CWE-532

Affected products

Vendor	Product
vercel	vercel

Description

Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44479
[Vendor advisory]https://github.com/vercel/vercel/security/advisories/GHSA-pgf8-2hgj-grqg

Related CVEs

Same vendor

CVE-2026-8769 — A vulnerability was determined in vercel ai up to 3.0.97 (4.3 MEDIUM)
CVE-2026-8768 — A vulnerability was found in vercel ai up to 3.0.97 (7.3 HIGH)
CVE-2026-8767 — A vulnerability has been found in vercel ai up to 3.0.97 (5.0 MEDIUM)
CVE-2026-46508 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (7.8 HIGH)
CVE-2026-45773 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (6.5 MEDIUM)

Same CWE

CVE-2026-12117 — Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to ...
CVE-2026-12320 — Information disclosure in the Password Manager component (4.3 MEDIUM)
CVE-2026-12311 — Information disclosure, sandbox escape in the Security: Process Sandboxing component (4.7 MEDIUM)
CVE-2026-50870 — An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensi... (7.5 HIGH)
CVE-2026-39007 — An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export ... (7.5 HIGH)