Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Triggered by remote output with no auth (AV:N/PR:N), low complexity, but the victim must render the output (UI:R); clipboard read leaks secrets (C:H) and clipboard write enables paste-injection (I:H), no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp allows terminal output to request access to the local system clipboard. A malicious remote host, remote program, or other attacker-controlled terminal output source can trigger clipboard reads or writes without a separate confirmation step. This crosses the trust boundary between untrusted terminal output and the user's local desktop clipboard. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
AnalysisAI
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stable_01) lets attacker-controlled terminal output read and write the host desktop clipboard via OSC 52 escape sequences with no confirmation prompt. Any malicious remote host, compromised program, or hostile output stream rendered in the terminal can silently exfiltrate clipboard contents (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim render attacker-controlled terminal output inside a vulnerable Warp build (0.2021.04.25.23.05.stable_00 through pre-0.2026.05.06.15.42.stable_01) - the malicious source can be a remote host the user SSHes to, a remote program, or any output stream the terminal displays - and that output must contain OSC 52 clipboard escape sequences. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (8.1 High) is internally consistent with the description: the trigger reaches the victim over the network (a remote host or remote program's output), requires no authentication or special privilege, and is low-complexity, but does require user interaction in the sense that the victim must render the malicious output in their Warp terminal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a malicious server (or a trojaned CLI tool/log file) whose output embeds an OSC 52 read sequence; when a developer connects or views that output in a pre-fix Warp, the terminal silently returns the host clipboard into the stream, leaking any copied API key or password. Alternatively the output writes attacker-chosen text (e.g. … |
| Remediation | Vendor-released patch: upgrade Warp to 0.2026.05.06.15.42.stable_01 or later, which adds a terminal.osc52_clipboard_access policy that defaults to 'deny' for all OSC 52 clipboard operations. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running affected Warp terminal versions (0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stable_01); restrict SSH access from untrusted networks; notify users and request credential rotation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39010