Medium severity5.0NVD Advisory· Published May 17, 2026· Updated May 19, 2026
CVE-2026-8767
CVE-2026-8767
Description
A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
4- gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0nvdExploitThird Party Advisory
- vuldb.com/submit/811402nvdThird Party AdvisoryVDB Entry
- vuldb.com/vuln/364392nvdThird Party AdvisoryVDB Entry
- vuldb.com/vuln/364392/ctinvdPermissions RequiredVDB Entry
News mentions
1- Vercel AI SDK: Three CVEs Disclosed in provider-utils Package — SSRF, Resource Exhaustion, and CI Command InjectionVypr Intelligence · May 17, 2026