Skip to main content

Warp EUVDEUVD-2026-39002

| CVE-2026-48704 HIGH
Improper Input Validation (CWE-20)
2026-06-24 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Malicious content is delivered remotely (AV:N) with no auth (PR:N) but requires the victim to open and click a link (UI:R); resulting code execution yields full C/I/A impact in the user context.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 19:17 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 18:21 vuln.today
Analysis Generated
Jun 24, 2026 - 18:21 vuln.today

DescriptionCVE.org

Warp is an agentic development environment. From 0.2023.10.24.08.03.stable_00 until 0.2026.05.06.15.42.stable_01, Warp may open executable local files through the operating system default file handler. A malicious Markdown document or project can contain a local-file link that appears as normal rendered content. If a user opens the Markdown in Warp and clicks the link, affected builds may route the resolved local file to a platform file opener instead of limiting the action to safe viewer/editor targets. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

AnalysisAI

Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026.05.06.15.42.stable_01) arises because the Markdown link handler routes resolved local-file links to the operating system's default file opener. A malicious Markdown document or project repository can embed a benign-looking local-file link that, when clicked, hands an executable (such as an extensionless shell script) to the platform file opener (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver malicious Markdown/project to developer
Delivery
Embed local-file link to disguised executable
Exploit
Victim opens notebook and clicks link
Execution
Warp routes target to OS default opener
Persist
Executable runs in user context
Impact
Arbitrary code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires that (1) the victim is running an affected Warp build between 0.2023.10.24.08.03.stable_00 and 0.2026.05.06.15.42.stable_01, (2) the victim opens an attacker-controlled Markdown document or project in Warp's notebook viewer, (3) an executable file (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high impact with the single mitigating factor of required user interaction - the victim must open the malicious Markdown and click the crafted link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a repository (or sends a Markdown file) containing a link that looks like documentation but resolves to an extensionless shell script bundled in the project. A developer opens the project in Warp, reads the rendered Markdown, and clicks the link; on a vulnerable build Warp passes the file to the OS default opener, executing the attacker's code in the developer's context. …
Remediation Vendor-released patch: upgrade Warp to 0.2026.05.06.15.42.stable_01 or later, which routes any link target that would otherwise go to the OS default handler (FileTarget::SystemGeneric / SystemDefault) through reveal-in-Finder/Explorer instead of opening it, per GHSA-589x-4mxh-jcrf (https://github.com/warpdotdev/warp/security/advisories/GHSA-589x-4mxh-jcrf) and commit 7f0c4dd2322198f1b39890f8e6bcdc606c6a3c74. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Warp users and notify of CVE-2026-48704; advise against opening untrusted Markdown files. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Warp

View all
CVE-2022-3320 CRITICAL
9.8 Oct 28

It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'

CVE-2026-48732 HIGH
8.8 Jun 24

Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt

CVE-2026-48720 HIGH
8.8 Jun 24

Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl

CVE-2022-3512 HIGH
8.8 Oct 28

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f

CVE-2026-48721 HIGH
8.6 Jun 24

Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_

CVE-2026-48719 HIGH
8.0 Jun 24

Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe

CVE-2026-48725 HIGH
8.1 Jun 24

Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl

CVE-2026-48731 HIGH
7.8 Jun 24

Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2

CVE-2026-48703 HIGH
7.8 Jun 24

OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search

CVE-2023-0652 HIGH
7.8 Apr 06

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA

CVE-2023-1412 HIGH
7.8 Apr 05

An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for

CVE-2022-2225 HIGH
7.8 Jul 26

By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b

Share

EUVD-2026-39002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy