Skip to main content

GitHub Copilot CLI CVE-2026-29783

HIGH
OS Command Injection (CWE-78)
2026-03-06 security-advisories@github.com GHSA-g8r9-g2v8-jv6f
7.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
May 18, 2026 - 13:13 vuln.today
Analysis Updated
May 18, 2026 - 13:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 18, 2026 - 13:07 vuln.today
cvss_changed
CVSS changed
May 18, 2026 - 13:07 NVD
7.5 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 17:16 nvd
N/A

DescriptionGitHub Advisory

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423.

The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations.

The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.

AnalysisAI

Arbitrary code execution in GitHub Copilot CLI versions <=0.0.422 allows attackers to bypass the agent's shell command safety classifier using bash parameter expansion operators (${var@P}, ${var=value}, ${!var}, and nested $(cmd)/<(cmd)). Attackers influencing agent inputs via prompt injection through repository files, MCP server responses, or user instructions can execute hidden commands disguised as read-only operations on the user's workstation. A detailed proof-of-concept is published in the GHSA advisory; EPSS is low (0.10%, 28th percentile) and the issue is not in CISA KEV, so no public exploit identified at time of analysis beyond the vendor-published PoC.

Technical ContextAI

GitHub Copilot CLI is an npm-distributed package (@github/copilot) that exposes an AI coding agent in the terminal with a shell tool gated by a safety classifier that labels commands as read-only or write-capable. The vulnerability (CWE-78, OS Command Injection) abuses bash's parameter expansion grammar: the @P prompt transformation re-evaluates a variable's contents as if it were a PS1 prompt (which performs command substitution), assignment forms ${var=value}/${var:=value} let an attacker stage payloads across multiple expansions, ${!var} performs indirect dereferencing, and nested $(cmd)/<(cmd) within default-value expansions trigger subshell execution. The classifier inspected the outer command (e.g., echo) but did not recursively analyze parameter expansion side effects, so a command like 'echo ${a="$"}${b="$a(touch /tmp/pwned)"}${b@P}' parsed as a safe echo while actually executing the embedded touch.

RemediationAI

Vendor-released patch: upgrade @github/copilot to 0.0.423 or later (npm install -g @github/copilot@0.0.423), per the release notes at https://github.com/github/copilot-cli/releases/tag/v0.0.423 and advisory GHSA-g8r9-g2v8-jv6f. The 0.0.423 release adds explicit user prompting and guardrails for shell commands containing potentially dangerous expansion or substitution patterns. If immediate upgrade is not possible, compensating controls include: running Copilot CLI only inside an ephemeral container or sandbox so an injected command cannot reach the host workstation (trade-off: complicates local file edits and persistent state); avoiding pointing the agent at untrusted repositories, MCP servers, or pasted instructions until upgraded (trade-off: blocks legitimate exploratory use); and disabling or vetting third-party MCP servers configured for the CLI (trade-off: loses MCP-provided functionality). Generic shell-allowlisting at the OS level is not a reliable mitigation because the attack hides behind ostensibly safe utilities like echo.

Share

CVE-2026-29783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy