Three CVEs Disclosed in Vercel AI SDK: SSRF, Resource Exhaustion, and CI Command Injection
Three vulnerabilities were disclosed in Vercel's AI SDK on May 17, 2026, including a high-severity SSRF in the provider-utils package and a CI pipeline command injection flaw.
Three security vulnerabilities in Vercel's AI SDK (the vercel ai npm package) were published on May 17, 2026, all affecting versions up to and including 3.0.97. The batch clusters around the provider-utils sub-package, with one additional flaw in the project's CI/CD workflow. The most severe of the three, CVE-2026-8768, carries a CVSSv3 score of 7.3 (High) and involves a server-side request forgery (SSRF) vector.
CVE-2026-8768 is the batch's headline finding. The vulnerability resides in the validateDownloadUrl function inside packages/provider-utils/src/download-blob.ts. An attacker who can supply a crafted URL to the download-blob utility can trick the server into making requests to internal or otherwise restricted network resources. SSRF flaws in AI SDK utilities are particularly concerning because these packages are commonly deployed in serverless and edge environments (e.g., Vercel Functions) where internal metadata services and cloud provider endpoints may be reachable. The vulnerability is remotely exploitable, and exploit code has been made public according to the disclosure notes.
CVE-2026-8769 (CVSSv3 4.3, Medium) targets the createJsonResponseHandler and createJsonErrorResponseHandler functions in packages/provider-utils/src/response-handler.ts. The manipulation causes excessive resource consumption, potentially enabling a denial-of-service condition against applications using the AI SDK's provider-utils response parsing. While the CVSS score is moderate, the attack surface is broad — any application that processes JSON responses through the affected handler functions is exposed.
CVE-2026-8767 (CVSSv3 5.0, Medium) is a different class of threat: OS command injection via the run function in .github/workflows/prettier-on-automerge.yml. The vulnerability stems from PR branch name interpolation in the GitHub Actions workflow. An attacker who can open a pull request with a crafted branch name could achieve remote code execution within the CI runner. The disclosure notes that the attack complexity is "rather high," but a successful exploit could compromise the CI/CD pipeline, potentially leading to supply-chain risks if secrets or publishing credentials are exfiltrated.
All three CVEs affect vercel ai versions up to 3.0.97. Users should upgrade to version 3.0.98 or later, which contains the fixes for all three issues. The Vercel AI SDK is widely used in the Next.js and Vercel ecosystem for building AI-powered applications, including streaming chat interfaces, tool-calling agents, and retrieval-augmented generation (RAG) pipelines. Teams running any version below 3.0.98 should prioritize the update, particularly for the SSRF flaw (CVE-2026-8768) which has public exploit code.
The three CVEs illustrate a recurring pattern in open-source AI tooling: rapid feature development can outpace security hardening in utility libraries and CI configurations. The provider-utils package is a shared dependency used across multiple AI SDK providers, meaning a single vulnerable function can affect a wide range of integrations. Users of the Vercel AI SDK should verify their dependency tree and ensure no pinned version below 3.0.98 remains in production or CI environments.