#1136953 gh: CVE-2026-45803

Package:
src:gh
Source:
src:gh
Submitter:
Salvatore Bonaccorso
Date:
2026-05-17 14:51:05 UTC
Severity:
normal
Tags:
#1136953#5
Date:
2026-05-17 14:50:59 UTC
From:
To:
Hi,

The following vulnerability was published for gh.

CVE-2026-45803[0]:
| `gh` is GitHub’s official command line tool. From 1.6.0 to before
| 2.92.0, a security vulnerability has been identified in GitHub CLI
| that could allow terminal escape sequence injection when users view
| GitHub Actions workflow logs using gh run view --log or gh run view
| --log-failed. The vulnerability stems from the way GitHub CLI
| handles raw Actions log output. The gh run view --log and gh run
| view --log-failed commands stream workflow log lines to stdout or
| the configured pager without sanitizing terminal control sequences.
| An attacker who can influence GitHub Actions log content, for
| example via a PR triggered workflow, can embed escape sequences that
| are replayed in the user's terminal when they inspect the run.
| Depending on the victim's terminal emulator, injected sequences
| could change the window title, manipulate on screen content, or in
| some terminal emulators (such as screen) potentially execute
| arbitrary commands. This vulnerability is fixed in 2.92.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-45803
https://www.cve.org/CVERecord?id=CVE-2026-45803
[1] https://github.com/cli/cli/security/advisories/GHSA-crc3-h8v6-qh57

Regards,
Salvatore