Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Malicious content is delivered remotely (AV:N) with no auth (PR:N) but requires the victim to open and click a link (UI:R); resulting code execution yields full C/I/A impact in the user context.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Warp is an agentic development environment. From 0.2023.10.24.08.03.stable_00 until 0.2026.05.06.15.42.stable_01, Warp may open executable local files through the operating system default file handler. A malicious Markdown document or project can contain a local-file link that appears as normal rendered content. If a user opens the Markdown in Warp and clicks the link, affected builds may route the resolved local file to a platform file opener instead of limiting the action to safe viewer/editor targets. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
AnalysisAI
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026.05.06.15.42.stable_01) arises because the Markdown link handler routes resolved local-file links to the operating system's default file opener. A malicious Markdown document or project repository can embed a benign-looking local-file link that, when clicked, hands an executable (such as an extensionless shell script) to the platform file opener (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that (1) the victim is running an affected Warp build between 0.2023.10.24.08.03.stable_00 and 0.2026.05.06.15.42.stable_01, (2) the victim opens an attacker-controlled Markdown document or project in Warp's notebook viewer, (3) an executable file (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high impact with the single mitigating factor of required user interaction - the victim must open the malicious Markdown and click the crafted link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a repository (or sends a Markdown file) containing a link that looks like documentation but resolves to an extensionless shell script bundled in the project. A developer opens the project in Warp, reads the rendered Markdown, and clicks the link; on a vulnerable build Warp passes the file to the OS default opener, executing the attacker's code in the developer's context. … |
| Remediation | Vendor-released patch: upgrade Warp to 0.2026.05.06.15.42.stable_01 or later, which routes any link target that would otherwise go to the OS default handler (FileTarget::SystemGeneric / SystemDefault) through reveal-in-Finder/Explorer instead of opening it, per GHSA-589x-4mxh-jcrf (https://github.com/warpdotdev/warp/security/advisories/GHSA-589x-4mxh-jcrf) and commit 7f0c4dd2322198f1b39890f8e6bcdc606c6a3c74. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Warp users and notify of CVE-2026-48704; advise against opening untrusted Markdown files. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to b
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39002