CVE-2026-45803 cli CVE debrief

Who should care

Organizations and individuals using GitHub CLI to inspect GitHub Actions workflow logs, especially when reviewing runs influenced by untrusted input such as pull requests or other externally contributed workflow activity.

Technical summary

According to the GitHub advisory and NVD, affected GitHub CLI versions from 1.6.0 before 2.92.0 stream raw GitHub Actions log lines to stdout or the configured pager without sanitizing terminal control sequences. That allows crafted log content to be replayed in the viewer’s terminal, which can alter display behavior and, depending on the terminal emulator, may have more serious effects. NVD lists the issue as CVSS 3.1 3.5/LOW with vector AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N and maps it to CWE-150.

Defensive priority

Moderate priority for teams that regularly inspect untrusted Actions logs with affected GitHub CLI versions. The exposure requires user interaction and attacker influence over log content, but the impact can still affect the local terminal session.

Recommended defensive actions

• Upgrade GitHub CLI to version 2.92.0 or later.
• Treat GitHub Actions logs as untrusted input when reviewing runs from external contributors or PR-triggered workflows.
• If you cannot upgrade immediately, minimize use of affected log-viewing workflows until patched versions are available.

Evidence notes

The CVE record and NVD entry identify GitHub CLI as the affected product, with vulnerable versions from 1.6.0 before 2.92.0. The GitHub Security Advisory linked in the source corpus states that gh run view --log and gh run view --log-failed can replay raw log content containing terminal escape sequences, and that the issue is fixed in 2.92.0. The CVSS vector provided by NVD is AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, supporting the low severity assessment.

Official resources