CVE-2026-45803
published 2026-05-15CVE-2026-45803: `gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal…
PriorityP420low3.5CVSS 3.1
AVNACLPRLUIRSUCNILAN
EPSS
0.20%
10.0th percentile
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cli | cli | — | — |
| github.com | cli_cli | 1.6.0 – 1.14.0 | — |
| github.com | cli_cli_v2 | >= 0 < 2.92.0 | 2.92.0 |
| github | cli | >= 1.6.0 < 2.92.0 | 2.92.0 |
| openshift-gitops-1 | argocd-rhel8 | — | — |
| openshift-gitops-1 | argocd-rhel9 | — | — |
| rhoso-operators | openstack-operator-bundle | — | — |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
vendor_redhat3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
ghsa·2026-05-19
CVE-2026-45803 [LOW] CWE-150 GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
### Summary
A security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using `gh run view --log` or `gh run view --log-failed`.
### Details
The vulnerability stems from the way GitHub CLI handles raw Actions log output. The `gh run view --log` and `gh run view --log-failed` commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run.
Depending on the
VulDB
cli up to 2.91.x control sequence
vuldb·2026-05-15·CVSS 3.5
CVE-2026-45803 [LOW] cli up to 2.91.x control sequence
A vulnerability categorized as problematic has been discovered in cli up to 2.91.x. This affects an unknown part. Such manipulation leads to improper neutralization of escape, meta, or control sequences.
This vulnerability is referenced as CVE-2026-45803. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
Red Hat
github.com/cli/cli: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs
vendor_redhat·2026-05-15·CVSS 3.5
CVE-2026-45803 [LOW] CWE-150 github.com/cli/cli: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs
github.com/cli/cli: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs
A flaw was found in GitHub CLI. A remote attacker who can influence GitHub Actions workflow log output could inject terminal escape sequences into workflow logs. When a user views these logs using gh run view --log or gh run view --log-failed, the injected sequences may be replayed by the user's terminal. Depending on the terminal emulator in use, this could result in manipulation of displayed content, changes to the terminal window title, or other unintended terminal behavior.
Statement: Red Hat Product Security rates this issue as having a Low security impact.
This issue results from insufficient sanitization of terminal control sequences in GitHub Actions workflow logs d
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-45803 gh: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs [epel-all]
bugzilla·2026-06-01·CVSS 3.5
CVE-2026-45803 [LOW] CVE-2026-45803 gh: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs [epel-all]
CVE-2026-45803 gh: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45803 gh: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs [fedora-all]
bugzilla·2026-06-01·CVSS 3.5
CVE-2026-45803 [LOW] CVE-2026-45803 gh: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs [fedora-all]
CVE-2026-45803 gh: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45803 github.com/cli/cli: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs
bugzilla·2026-05-15·CVSS 3.5
CVE-2026-45803 [LOW] CVE-2026-45803 github.com/cli/cli: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs
CVE-2026-45803 github.com/cli/cli: GitHub CLI: Arbitrary command execution via terminal escape sequence injection in workflow logs
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are rep
2026-05-15
Published