CVE-2026-44479
Vercel: Non-interactive mode includes CLI arguments in suggested command output
描述
# Summary When the Vercel CLI runs in non-interactive mode (`--non-interactive` or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via `--token` or `-t` on the command line, the token value is included verbatim in those suggestions. # Conditions All three must be true for the token to appear in output: 1. Token passed as a CLI argument (`--token` / `-t`). The `VERCEL_TOKEN` environment variable is **not affected**. 2. Non-interactive mode is active (explicit flag or AI agent auto-detection). 3. The command cannot complete on its own (e.g. missing `--yes`, ambiguous scope, API errors). Successful commands produce no suggestion output. ## Impact The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. ## Remediation - Upgrade to the patched version. - If developers have previously used `--token` with `--non-interactive` in their applications, review logs for exposed tokens and rotate them. - Prefer `VERCEL_TOKEN` environment variable for authentication.
如何修補 CVE-2026-44479
要修補 CVE-2026-44479,請將受影響套件升級到下列已修補版本。
- —升級至 52.0.1 或更新版本
CVE-2026-44479 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 50.16.0, < 52.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|