PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59831 cli CVE debrief

CVE-2026-59831 is a medium-severity vulnerability in GitHub CLI (gh) versions 2.10.0 through 2.95.0. The issue allows command execution when connecting to a malicious Codespace with 'gh codespace jupyter' due to improper validation of JupyterLab URLs supplied by a process inside the Codespace. This could potentially allow a crafted vscode:// or vscode-insiders:// URL to be handed to VS Code. The vulnerability is fixed in version 2.96.0.

Vendor
cli
Product
Unknown
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of GitHub CLI (gh) versions 2.10.0 through 2.95.0 should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 2.96.0 or later, and exercising caution when connecting to Codespaces.

Technical summary

The GitHub CLI (gh) is vulnerable to command execution when connecting to a malicious Codespace using 'gh codespace jupyter'. This is due to the lack of validation for JupyterLab URLs provided by a process inside the Codespace. An attacker could potentially craft a malicious vscode:// or vscode-insiders:// URL to be handled by VS Code. The issue is addressed in version 2.96.0. Users of affected versions (2.10.0 through 2.95.0) should update to 2.96.0 or later to mitigate this vulnerability. It's also crucial to exercise caution when connecting to Codespaces, especially those from untrusted sources, and monitor for any suspicious activity related to Codespace connections.

Defensive priority

Medium priority should be given to updating GitHub CLI (gh) to version 2.96.0 or later. Users should also be cautious when connecting to Codespaces, especially those from untrusted sources.

Recommended defensive actions

  • Update GitHub CLI (gh) to version 2.96.0 or later
  • Exercise caution when connecting to Codespaces, especially those from untrusted sources
  • Monitor for any suspicious activity related to Codespace connections
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-09T23:17:05.483Z and was last modified on 2026-07-10T19:17:58.040Z. The NVD entry is currently Undergoing Analysis. The vulnerability is described in the CVE record and additional information can be found in the GitHub security advisory.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T23:17:05.483Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.