Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Local agent execution context (AV:L), trivial env-var prefix (AC:L), no host privileges since the trigger is agent-output influence (PR:N), user must run the agent (UI:R), and the broken agent-to-host boundary yields scope change with full host impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
AnalysisAI
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_00 through the fix in 0.2026.05.06.15.42.stable_01) lets denylisted, confirmation-required commands auto-execute. Because the non-interactive CLI agent matched command strings against its denylist before stripping leading environment-variable assignments, an attacker able to influence the agent's emitted command output (e.g., via prompt injection) can prefix a blocked command such as 'rm' with 'X=1' to evade the safety boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the victim to be running Warp's default unsandboxed, non-interactive CLI agent profile (the one that relies on the command denylist and auto-executes non-denylisted commands), and requires the attacker to be able to influence the command string the agent outputs - typically via indirect prompt injection through untrusted content the agent processes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 is 8.6 (High) with vector AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H - local vector, low complexity, no privileges, user interaction required, and a scope change reflecting the broken trust boundary between the AI agent and the host, with full confidentiality/integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker plants a crafted instruction or file in a repository the developer asks Warp's CLI agent to operate on; through prompt injection the agent emits 'X=1 rm -rf ~/project', which should require confirmation under the 'rm' denylist. Because the env-var prefix defeats the pre-canonicalization string match, the agent auto-executes the destructive command on the developer's host without prompting. … |
| Remediation | Vendor-released patch: 0.2026.05.06.15.42.stable_01 - upgrade Warp to this version or later, which canonicalizes leading environment-variable assignments before denylist evaluation (advisory GHSA-3839-h8jj-ph82, commit 0c1e243292c642d9a7748f80813b6fdfc0b31a9e). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Warp installations and identify affected versions (0.2025.10.08.08.12.stable_00 through versions before 0.2026.05.06.15.42.stable_01). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39016