By ByteBot
If you have ever run gh attestation verify, gh release verify, or gh release verify-asset, your GitHub authentication token has been leaking to third-party servers. GitHub patched the bug this week in CLI v2.93.0 (CVE-2026-48501 / GHSA-8xvp-7hj6-mcj9). If you have not upgraded and rotated your token, do that before reading further.
What the Bug Does
When GitHub CLI fetches TUF (The Update Framework) metadata from mirror hosts during artifact attestation and release verification, it was incorrectly attaching the Authorization header — your GitHub Bearer token — to those requests. TUF mirror hosts are not GitHub API servers. They should never receive your credentials.
Two groups are affected differently:
- github.com users: Your token was sent to
tuf-repo.github.com, a GitHub Pages domain — not the GitHub API. - Enterprise users: Your enterprise token (
GH_ENTERPRISE_TOKEN/GITHUB_ENTERPRISE_TOKEN) was sent totuf-repo-cdn.sigstore.dev(the Sigstore CDN) andtmaproduction.blob.core.windows.net(an Azure Blob endpoint). Neither is operated by GitHub.
All GitHub CLI versions up to and including v2.92.0 are affected.
The Irony Is Hard to Miss
The commands that triggered this leak — gh attestation verify and gh release verify — are the tools developers run specifically to verify supply chain integrity. You were doing everything right: checking provenance, validating Sigstore attestations, enforcing SLSA compliance. And the tool doing the checking was leaking your token the whole time. CVSS rates this 3.1 (medium), but a GitHub OAuth token is not a medium-severity object.
What an Attacker Can Do With Your Token
A GitHub OAuth token is scoped to your account, not a single repository. Anyone who captured your token can read and clone every private repo you have access to, push commits with backdoors, tamper with GitHub Actions workflows, and harvest credentials stored as repository secrets. Tokens do not expire on their own — they remain valid until you manually revoke them.
This is not theoretical. The Nx Console supply chain attack in May 2026 — which breached 3,800 internal GitHub repositories and hit roughly 6,000 developers — started with a stolen GitHub CLI OAuth token harvested from a contributor’s machine. Tokens are the entry point.
Fix: Upgrade to v2.93.0 and Rotate Your Token
Upgrade first, then rotate. Do not skip the rotation step.
# Check your current version
gh --version
# macOS (Homebrew)
brew upgrade gh
# Debian / Ubuntu
sudo apt update && sudo apt install gh
# Windows (winget)
winget upgrade GitHub.cli
# Windows (Chocolatey)
choco upgrade gh
# Confirm
gh --version # Should show 2.93.0 or higherTo rotate your token:
- Run
gh auth logout, thengh auth loginto generate a fresh token. - Visit github.com/settings/tokens and revoke any Personal Access Tokens you no longer recognise.
- Review authorized GitHub Apps at github.com/settings/applications.
- Enterprise users: rotate
GH_ENTERPRISE_TOKENand update every CI/CD pipeline that uses it.
A step-by-step rotation guide is available at howtorotate.com.
Part of a Bigger Pattern
CVE-2026-48501 fits a pattern that has been building all year. Nx Console v18.95.0 (May 2026) harvested credentials from 6,000 developers in 18 minutes. Cline CLI 2.3.0 (February 2026) installed unauthorized software on 4,000 machines. A VSCode flaw disclosed this week leaked GitHub tokens from the IDE itself. Developer tools — the CLI, the IDE extension, the CI/CD runner — have become the primary attack surface for token theft.
The consistent lesson: tokens stored in your development environment are high-value targets. Rotate them regularly, use fine-grained PATs with minimal scopes where possible, and treat your dev machine’s credential store with the same discipline as production secrets.
For complete technical details, see the official GitHub security advisory and the v2.93.0 release notes.
