CVE-2026-8767 vercel CVE debrief

Who should care

Organizations using Vercel AI SDK versions ≤3.0.97 with automated workflows triggered by pull requests; security teams responsible for CI/CD pipeline security; developers maintaining GitHub Actions workflows with user-controlled input

Technical summary

The vulnerability exists in a GitHub Actions workflow file where PR branch names are interpolated directly into shell commands without proper sanitization. This allows an attacker with the ability to create pull requests with maliciously crafted branch names to execute arbitrary OS commands within the workflow runner context. The attack requires the ability to create PRs and depends on the specific workflow trigger conditions.

Defensive priority

LOW

Recommended defensive actions

• Review and sanitize all user-controlled inputs in GitHub Actions workflows, particularly branch names and PR metadata used in shell commands
• Update Vercel AI SDK to version 3.0.98 or later when available
• Audit `.github/workflows/prettier-on-automerge.yml` and similar workflow files for unsafe interpolation patterns
• Implement branch name validation rules in repository settings to reject branch names containing shell metacharacters
• Consider using GitHub Actions security hardening practices including `set -euo pipefail` and avoiding direct variable interpolation in shell commands
• Monitor for suspicious workflow runs or unauthorized repository access attempts

Evidence notes

Vulnerability data sourced from NVD with VulDB as CNA. CPE criteria confirms affected product as Vercel AI up to version 3.0.97. CVSS 4.0 vector indicates network attack vector with high attack complexity, low privileges required, and no user interaction. Weaknesses mapped to CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

Official resources