CVE-2026-44479
Vercel: Non-interactive mode includes CLI arguments in suggested command output
CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th
Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1.
| CWE | CWE-200 CWE-532 |
| Vendor | vercel |
| Product | vercel |
| Published | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for vercel vercel
Be the first to know when new medium vulnerabilities affecting vercel vercel are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
vercel / vercel
>= 50.16.0, < 52.0.1