Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Network-delivered spoofing via PTY requires no authentication or elevated complexity; impact is integrity only (falsified UI metadata), not confidentiality or availability.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepted certain state-mutating terminal lifecycle hooks from the PTY stream without verifying that the hooks were emitted by Warp's shell integration for the active session. An attacker who could cause a victim to view attacker-controlled terminal output in Warp could spoof selected lifecycle metadata, including the current working directory reported for the active block or SSH session transport metadata. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
AnalysisAI
Terminal lifecycle hook spoofing in Warp versions prior to 0.2026.05.06.15.42.stable_01 allows an attacker who controls terminal output viewed by a victim to inject unauthenticated shell integration hooks into the PTY stream, causing Warp to accept falsified session metadata - including spoofed current working directory and SSH session transport parameters. Exploitation requires user interaction (the victim must view attacker-controlled terminal content in Warp), and no public exploit code has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim is running Warp with shell integration enabled (the default installation configuration) and views attacker-controlled content within an active Warp terminal session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 medium score (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) captures network reachability and low attack complexity, but the I:N assignment underrepresents real impact - spoofing the displayed CWD and SSH transport metadata is an integrity concern that could mislead developers into believing they are operating in a different directory or SSH context than they actually are, potentially triggering downstream user-initiated harm. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer SSHes into a malicious or compromised remote server using Warp with shell integration active; the server emits crafted OSC escape sequences containing fake Preexec or SSH lifecycle hook payloads with falsified CWD or session socket path values. Warp processes the unauthenticated hooks and updates its UI to display an incorrect working directory or SSH session context, potentially causing the developer to perform file operations or issue commands they believe are scoped to a different directory or host. … |
| Remediation | Upgrade to Warp version 0.2026.05.06.15.42.stable_01 or later, which is the vendor-released patch confirmed by the GitHub security advisory at https://github.com/warpdotdev/warp/security/advisories/GHSA-9w2v-jhww-vm85 and corroborated by commits 32d21d15c9a3da1a923d1ed66226cf5cba081d16 and 51bd3267803c5cc0a45074fa19fd50162be7c917. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint'
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell synt
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stabl
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" f
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell whe
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stabl
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WA
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39013