Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Malicious branch is delivered via a remote repo (AV:N) but needs branch-publish access (PR:L) and a victim click on the chip (UI:R); injected shell command runs with full C/I/A impact at user privilege.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Warp is an agentic development environment. From 0.2025.08.06.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
AnalysisAI
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell when they click that branch in the UI. It affects Warp builds from 0.2025.08.06.08.12.stable_00 up to the fix in 0.2026.05.06.15.42.stable_01, and is exploitable by anyone able to publish a branch to a repository the victim opens in Warp. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the attacker to be able to publish a branch to a Git repository the victim opens in Warp - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, base 8.0) reflects high confidentiality, integrity, and availability impact since injected commands run with the victim user's privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with push access to a shared or forked Git repository creates a branch whose name embeds shell metacharacters (e.g. a command substitution payload). … |
| Remediation | Vendor-released patch: upgrade Warp to 0.2026.05.06.15.42.stable_01 or later, which replaces raw string command formatting with a typed PromptChipShellCommand enum (GitCheckout, GitCreateAndCheckoutBranch, ChangeDirectory, NvmUse, etc.) so user-controlled values can no longer be concatenated into shell command lines; see the advisory at https://github.com/warpdotdev/warp/security/advisories/GHSA-hgvx-4xvm-39pw and commit 4295ec08d01912fe355351547e541277f29288cd. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all users running Warp versions 0.2025.08.06.08.12.stable_00 through 0.2026.05.06.15.42.stable_00 and communicate the vulnerability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39001