Command Injection Vulnerability in GitHub CLI Tool
CVE-2026-59831

4.4MEDIUM

Key Information:

Vendor

Cli

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59831?

The GitHub CLI, from versions 2.10.0 to 2.95.0, is susceptible to a command injection vulnerability. When users connect to a malicious Codespace using the 'gh codespace jupyter' command, the tool may execute arbitrary commands due to inadequate validation of JupyterLab URLs. This flaw allows attackers to exploit the command handling, directing the application to open potentially dangerous vscode:// or vscode-insiders:// URLs. The vulnerability is mitigated in version 2.96.0.

Affected Version(s)

cli >= 2.10.0, < 2.96.0

References

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.