Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Hostile terminal output is delivered remotely (AV:N) with no auth (PR:N) but requires the victim to render it (UI:R); overwriting a shell rc file yields code execution, so C/I/A are all High.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Warp is an agentic development environment. From 0.2025.03.05.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepts non-inline OSC 1337;File payloads from terminal output and materialize the decoded payload as a local file without an additional confirmation step. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
AnalysisAI
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stable_01) lets malicious terminal output silently drop attacker-controlled files onto disk. Warp honored non-inline OSC 1337;File (and multipart MultipartFile) iTerm2 escape sequences by base64-decoding the payload and writing it to the active block's current working directory using the attacker-supplied filename, with no confirmation prompt. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim is running a vulnerable Warp build (>= 0.2025.03.05.08.02.stable_00 and < 0.2026.05.06.15.42.stable_01) and that attacker-controlled bytes reach the terminal containing a non-inline OSC 1337;File or MultipartFile escape sequence (inline=0) - for example via cat/less of a hostile file, a remote SSH/program output stream, or a malicious repository's command output. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (base 8.8, High) is consistent with the mechanism: the trigger arrives over the network via terminal output (AV:N), requires no authentication to Warp itself (PR:N), is low-complexity (AC:L), but needs the victim to render the hostile output (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a file or controls a remote command's output containing a crafted OSC 1337;File=name=LnpzaGVudg==;inline=0:<base64 payload> sequence whose decoded payload is a malicious shell snippet and whose name is .zshenv. When the victim views or runs the command in a vulnerable Warp build (for example, cat'ing the file or reading a hostile SSH banner), Warp silently writes .zshenv into the session's working directory; the attacker's code then runs the next time a shell is started. … |
| Remediation | Upgrade to the fixed build: Vendor-released patch: 0.2026.05.06.15.42.stable_01 (or any later stable release). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit Warp adoption across the organization; restrict Warp usage to trusted corporate networks only; disconnect affected machines from external systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39017