Description
`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.
Details
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| github.com/cli/cli | — | — |
| github.com/cli/cli/v2 | — | — |
| unknown | — | — |
References
Similar Threats
- High CVE-2026-48501
- Low CVE-2026-45803
- Unknown CVE-2024-54132
- Medium CVE-2024-53858
- High CVE-2024-52308
Free Vulnerability Check
Is your WordPress site affected?
BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.
Scan My Site Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.