CVE-2026-8769

4.3 MEDIUM

A vulnerability was determined in vercel ai up to 3.0.97

Published: 2026-05-17 · Last updated: 2026-05-19

Severity and scoring

CVSS: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400, CWE-404

Affected products

Vendor	Product
vercel	ai

Description

A vulnerability was determined in vercel ai up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource consumption. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8769
[Exploit reference]https://gist.github.com/YLChen-007/fb1096bc8428bed9a428f764d9d103bb
[Other]https://vuldb.com/submit/811406
[Other]https://vuldb.com/vuln/364394
[Other]https://vuldb.com/vuln/364394/cti

Related CVEs

Same vendor

CVE-2026-8768 — A vulnerability was found in vercel ai up to 3.0.97 (7.3 HIGH)
CVE-2026-8767 — A vulnerability has been found in vercel ai up to 3.0.97 (5.0 MEDIUM)
CVE-2026-46508 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (7.8 HIGH)
CVE-2026-45773 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (6.5 MEDIUM)
CVE-2026-45772 — Turborepo is a high-performance build system for JavaScript and TypeScript codebases (9.8 CRITICAL)

Same CWE

CVE-2026-45169 — Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 exhibit a validation vulnera...
CVE-2026-44892 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
CVE-2026-45174 — Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon ini...
CVE-2026-44890 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
CVE-2026-44250 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)