Skip to main content

Warp CVE-2026-48721

| EUVDEUVD-2026-39016 HIGH
Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
2026-06-24 GitHub_M
8.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.6 HIGH

Local agent execution context (AV:L), trivial env-var prefix (AC:L), no host privileges since the trigger is agent-output influence (PR:N), user must run the agent (UI:R), and the broken agent-to-host boundary yields scope change with full host impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 19:17 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 18:19 vuln.today
Analysis Generated
Jun 24, 2026 - 18:19 vuln.today

DescriptionCVE.org

Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

AnalysisAI

Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_00 through the fix in 0.2026.05.06.15.42.stable_01) lets denylisted, confirmation-required commands auto-execute. Because the non-interactive CLI agent matched command strings against its denylist before stripping leading environment-variable assignments, an attacker able to influence the agent's emitted command output (e.g., via prompt injection) can prefix a blocked command such as 'rm' with 'X=1' to evade the safety boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Plant injection in untrusted content agent reads
Delivery
Agent emits denylisted command with env-var prefix
Exploit
Denylist matched before canonicalization, no match
Execution
Command auto-executes without confirmation
Impact
Arbitrary command execution on host

Vulnerability AssessmentAI

Exploitation Requires the victim to be running Warp's default unsandboxed, non-interactive CLI agent profile (the one that relies on the command denylist and auto-executes non-denylisted commands), and requires the attacker to be able to influence the command string the agent outputs - typically via indirect prompt injection through untrusted content the agent processes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 is 8.6 (High) with vector AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H - local vector, low complexity, no privileges, user interaction required, and a scope change reflecting the broken trust boundary between the AI agent and the host, with full confidentiality/integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker plants a crafted instruction or file in a repository the developer asks Warp's CLI agent to operate on; through prompt injection the agent emits 'X=1 rm -rf ~/project', which should require confirmation under the 'rm' denylist. Because the env-var prefix defeats the pre-canonicalization string match, the agent auto-executes the destructive command on the developer's host without prompting. …
Remediation Vendor-released patch: 0.2026.05.06.15.42.stable_01 - upgrade Warp to this version or later, which canonicalizes leading environment-variable assignments before denylist evaluation (advisory GHSA-3839-h8jj-ph82, commit 0c1e243292c642d9a7748f80813b6fdfc0b31a9e). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Warp installations and identify affected versions (0.2025.10.08.08.12.stable_00 through versions before 0.2026.05.06.15.42.stable_01). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Warp

View all
CVE-2022-3320 CRITICAL
9.8 Oct 28

It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'

CVE-2026-48732 HIGH
8.8 Jun 24

Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt

CVE-2026-48704 HIGH
8.8 Jun 24

Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026

CVE-2026-48720 HIGH
8.8 Jun 24

Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl

CVE-2022-3512 HIGH
8.8 Oct 28

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f

CVE-2026-48719 HIGH
8.0 Jun 24

Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe

CVE-2026-48725 HIGH
8.1 Jun 24

Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl

CVE-2026-48731 HIGH
7.8 Jun 24

Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2

CVE-2026-48703 HIGH
7.8 Jun 24

OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search

CVE-2023-0652 HIGH
7.8 Apr 06

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA

CVE-2023-1412 HIGH
7.8 Apr 05

An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for

CVE-2022-2225 HIGH
7.8 Jul 26

By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b

Share

CVE-2026-48721 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy