Skip to main content

Warp CVE-2026-48720

| EUVDEUVD-2026-39017 HIGH
Improper Input Validation (CWE-20)
2026-06-24 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Hostile terminal output is delivered remotely (AV:N) with no auth (PR:N) but requires the victim to render it (UI:R); overwriting a shell rc file yields code execution, so C/I/A are all High.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 19:17 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 18:20 vuln.today
Analysis Generated
Jun 24, 2026 - 18:20 vuln.today

DescriptionCVE.org

Warp is an agentic development environment. From 0.2025.03.05.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepts non-inline OSC 1337;File payloads from terminal output and materialize the decoded payload as a local file without an additional confirmation step. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

AnalysisAI

Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stable_01) lets malicious terminal output silently drop attacker-controlled files onto disk. Warp honored non-inline OSC 1337;File (and multipart MultipartFile) iTerm2 escape sequences by base64-decoding the payload and writing it to the active block's current working directory using the attacker-supplied filename, with no confirmation prompt. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to render hostile output
Delivery
Emit OSC 1337;File with inline=0
Exploit
Warp decodes base64 payload
Execution
Write .zshenv to session CWD
Persist
Wait for next shell start
Impact
Malicious snippet executes as user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is running a vulnerable Warp build (>= 0.2025.03.05.08.02.stable_00 and < 0.2026.05.06.15.42.stable_01) and that attacker-controlled bytes reach the terminal containing a non-inline OSC 1337;File or MultipartFile escape sequence (inline=0) - for example via cat/less of a hostile file, a remote SSH/program output stream, or a malicious repository's command output. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (base 8.8, High) is consistent with the mechanism: the trigger arrives over the network via terminal output (AV:N), requires no authentication to Warp itself (PR:N), is low-complexity (AC:L), but needs the victim to render the hostile output (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a file or controls a remote command's output containing a crafted OSC 1337;File=name=LnpzaGVudg==;inline=0:<base64 payload> sequence whose decoded payload is a malicious shell snippet and whose name is .zshenv. When the victim views or runs the command in a vulnerable Warp build (for example, cat'ing the file or reading a hostile SSH banner), Warp silently writes .zshenv into the session's working directory; the attacker's code then runs the next time a shell is started. …
Remediation Upgrade to the fixed build: Vendor-released patch: 0.2026.05.06.15.42.stable_01 (or any later stable release). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit Warp adoption across the organization; restrict Warp usage to trusted corporate networks only; disconnect affected machines from external systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Warp

View all
CVE-2022-3320 CRITICAL
9.8 Oct 28

It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'

CVE-2026-48732 HIGH
8.8 Jun 24

Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt

CVE-2026-48704 HIGH
8.8 Jun 24

Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026

CVE-2022-3512 HIGH
8.8 Oct 28

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f

CVE-2026-48721 HIGH
8.6 Jun 24

Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_

CVE-2026-48719 HIGH
8.0 Jun 24

Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe

CVE-2026-48725 HIGH
8.1 Jun 24

Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl

CVE-2026-48731 HIGH
7.8 Jun 24

Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2

CVE-2026-48703 HIGH
7.8 Jun 24

OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search

CVE-2023-0652 HIGH
7.8 Apr 06

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA

CVE-2023-1412 HIGH
7.8 Apr 05

An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for

CVE-2022-2225 HIGH
7.8 Jul 26

By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b

Share

CVE-2026-48720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy