GitHub CLI (gh) versions prior to 2.93.0 incorrectly transmit authorization tokens to external hosts during attestation and release verification operations. The vulnerability stems from flawed host normalization logic in the CLI's shared HTTP client authentication layer, which collapses any *.github.com subdomain to github.com. This causes requests to tuf-repo.github.com—a GitHub Pages site hosting TUF me [truncated]
CVE-2026-45803 is a low-severity GitHub CLI issue in which workflow log content can be rendered to a terminal without sanitizing control sequences. If an attacker can influence Actions log output, viewing a run with gh run view --log or gh run view --log-failed can cause terminal escape sequence injection in the user’s session. The issue is fixed in GitHub CLI 2.92.0.