CVE-2026-8767

Vulnerability

The vulnerability resides in the GitHub Actions workflow file .github/workflows/prettier-on-automerge.yml of vercel ai up to version 3.0.97. The run step uses unsafe direct string interpolation of the user-controlled branch name (github.event.pull_request.head.ref) via ${{ }} syntax, which is evaluated before the shell script executes. This allows an attacker to inject arbitrary OS commands by crafting a branch name containing subshell sequences such as $() combined with $IFS to bypass branch naming restrictions [1].

Exploitation

An attacker must be able to submit a pull request to the repository. The attack is remote but has high complexity due to branch name constraints (no spaces or quotes). However, the attacker can embed command substitution using $() and $IFS to achieve code execution. When the workflow triggers on a pull request event, the malicious branch name is interpolated into the bash script, and the injected commands execute in the runner sandbox [1].

Impact

Successful exploitation allows the attacker to execute arbitrary bash commands within the GitHub Actions runner sandbox. This can lead to unauthorized modification of repository contents, compromise of secrets or credentials accessible to the runner, and other actions depending on the runner's permissions [1].

Mitigation

No official fix has been released by the vendor (vercel), who did not respond to the disclosure. The recommended mitigation is to pass all dynamic attacker-controllable input via intermediate environment variables (using the env: contextual map) instead of direct string interpolation. Users should update to a version beyond 3.0.97 if available, or manually modify the workflow file to apply the remediation [1].