Skip to main content

Warp Terminal EUVDEUVD-2026-39013

| CVE-2026-54686 MEDIUM
OS Command Injection (CWE-78)
2026-06-24 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
vuln.today AI
4.3 MEDIUM

Network-delivered spoofing via PTY requires no authentication or elevated complexity; impact is integrity only (falsified UI metadata), not confidentiality or availability.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 19:17 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 18:23 vuln.today
Analysis Generated
Jun 24, 2026 - 18:23 vuln.today

DescriptionCVE.org

Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepted certain state-mutating terminal lifecycle hooks from the PTY stream without verifying that the hooks were emitted by Warp's shell integration for the active session. An attacker who could cause a victim to view attacker-controlled terminal output in Warp could spoof selected lifecycle metadata, including the current working directory reported for the active block or SSH session transport metadata. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

AnalysisAI

Terminal lifecycle hook spoofing in Warp versions prior to 0.2026.05.06.15.42.stable_01 allows an attacker who controls terminal output viewed by a victim to inject unauthenticated shell integration hooks into the PTY stream, causing Warp to accept falsified session metadata - including spoofed current working directory and SSH session transport parameters. Exploitation requires user interaction (the victim must view attacker-controlled terminal content in Warp), and no public exploit code has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls a PTY output source (malicious SSH server or crafted file)
Delivery
Victim opens attacker-controlled content in Warp with shell integration active
Exploit
Crafted OSC escape sequences embed fake lifecycle hook JSON in PTY stream
Execution
Warp processes hooks without session_id verification
Impact
UI renders spoofed CWD or SSH session transport metadata

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is running Warp with shell integration enabled (the default installation configuration) and views attacker-controlled content within an active Warp terminal session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 medium score (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) captures network reachability and low attack complexity, but the I:N assignment underrepresents real impact - spoofing the displayed CWD and SSH transport metadata is an integrity concern that could mislead developers into believing they are operating in a different directory or SSH context than they actually are, potentially triggering downstream user-initiated harm. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer SSHes into a malicious or compromised remote server using Warp with shell integration active; the server emits crafted OSC escape sequences containing fake Preexec or SSH lifecycle hook payloads with falsified CWD or session socket path values. Warp processes the unauthenticated hooks and updates its UI to display an incorrect working directory or SSH session context, potentially causing the developer to perform file operations or issue commands they believe are scoped to a different directory or host. …
Remediation Upgrade to Warp version 0.2026.05.06.15.42.stable_01 or later, which is the vendor-released patch confirmed by the GitHub security advisory at https://github.com/warpdotdev/warp/security/advisories/GHSA-9w2v-jhww-vm85 and corroborated by commits 32d21d15c9a3da1a923d1ed66226cf5cba081d16 and 51bd3267803c5cc0a45074fa19fd50162be7c917. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Warp

View all
CVE-2022-3320 CRITICAL
9.8 Oct 28

It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'

CVE-2026-48732 HIGH
8.8 Jun 24

Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt

CVE-2026-48704 HIGH
8.8 Jun 24

Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026

CVE-2026-48720 HIGH
8.8 Jun 24

Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl

CVE-2022-3512 HIGH
8.8 Oct 28

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f

CVE-2026-48721 HIGH
8.6 Jun 24

Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_

CVE-2026-48719 HIGH
8.0 Jun 24

Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe

CVE-2026-48725 HIGH
8.1 Jun 24

Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl

CVE-2026-48731 HIGH
7.8 Jun 24

Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2

CVE-2026-48703 HIGH
7.8 Jun 24

OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search

CVE-2023-0652 HIGH
7.8 Apr 06

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA

CVE-2023-1412 HIGH
7.8 Apr 05

An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for

Share

EUVD-2026-39013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy