Warp
Monthly
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026.05.06.15.42.stable_01) arises because the Markdown link handler routes resolved local-file links to the operating system's default file opener. A malicious Markdown document or project repository can embed a benign-looking local-file link that, when clicked, hands an executable (such as an extensionless shell script) to the platform file opener (e.g. NSWorkspace.openURL on macOS) instead of a safe viewer/editor, executing it. There is no public exploit identified at time of analysis, but the fix is confirmed in 0.2026.05.06.15.42.stable_01 and the root cause is documented in the upstream commit and GHSA advisory.
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell when they click that branch in the UI. It affects Warp builds from 0.2025.08.06.08.12.stable_00 up to the fix in 0.2026.05.06.15.42.stable_01, and is exploitable by anyone able to publish a branch to a repository the victim opens in Warp. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stable_01) lets malicious terminal output silently drop attacker-controlled files onto disk. Warp honored non-inline OSC 1337;File (and multipart MultipartFile) iTerm2 escape sequences by base64-decoding the payload and writing it to the active block's current working directory using the attacker-supplied filename, with no confirmation prompt. Because shell startup files such as .zshenv can be overwritten this way, the write converts into code execution on the victim's host; no public exploit identified at time of analysis and the issue is not in CISA KEV.
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_00 through the fix in 0.2026.05.06.15.42.stable_01) lets denylisted, confirmation-required commands auto-execute. Because the non-interactive CLI agent matched command strings against its denylist before stripping leading environment-variable assignments, an attacker able to influence the agent's emitted command output (e.g., via prompt injection) can prefix a blocked command such as 'rm' with 'X=1' to evade the safety boundary. No public exploit is identified at time of analysis, and it is not listed in CISA KEV.
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2026.05.06.15.42.stable_01) lets an attacker run arbitrary shell commands as the local user when a victim opens a maliciously named file through an affected external or system-default editor route. Warp expanded freedesktop .desktop Exec templates and passed the result to a shell, so shell metacharacters embedded in a file path are interpreted rather than treated as data. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; impact is high (CVSS 7.8) but requires local context and user interaction.
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell syntax that runs as the victim's authenticated SSH account. Affecting Warp from 0.2023.03.21.08.02.stable_00 up to (but not including) 0.2026.05.06.15.42.stable_01, the flaw stems from the terminal trusting the remote working directory, repository, or directory name reported by an SSH session when assembling helper commands for metadata collection. No public exploit identified at time of analysis, though the fix commit ships regression tests that demonstrate the breakout; not listed in CISA KEV and no EPSS provided.
Terminal lifecycle hook spoofing in Warp versions prior to 0.2026.05.06.15.42.stable_01 allows an attacker who controls terminal output viewed by a victim to inject unauthenticated shell integration hooks into the PTY stream, causing Warp to accept falsified session metadata - including spoofed current working directory and SSH session transport parameters. Exploitation requires user interaction (the victim must view attacker-controlled terminal content in Warp), and no public exploit code has been identified at time of analysis. The CVSS-assigned availability impact (A:L) and absence of integrity impact (I:N) appear inconsistent with the described spoofing behavior; session state falsification is the primary operational concern for affected users.
OS command injection in Warp (the agentic terminal/development environment) affects builds from 0.2024.03.12.08.02.stable_01 up to the fix in 0.2026.05.06.15.42.stable_01 when running under Windows Subsystem for Linux. When wslview cannot open a URL, Warp falls back to a Windows command processor (cmd.exe /c start), so a malicious URL emitted into terminal output executes attacker-controlled Windows commands once the user clicks the link. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix commit clearly documents the injection path.
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search operations and execute arbitrary shell commands in the user's terminal. Affected builds from 0.2025.04.09.08.11.stable_00 up to 0.2026.05.06.15.42.stable_01 implement the Grep and FileGlob actions — which the Agent's command-execution policy authorizes only as read/search — by concatenating Agent-supplied search text, paths, and glob patterns into unquoted shell command strings. There is no public exploit identified at time of analysis, though the vendor fix commit and its regression tests publicly demonstrate the injection technique (e.g. a $(touch /tmp/warp-poc) payload).
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stable_01) lets attacker-controlled terminal output read and write the host desktop clipboard via OSC 52 escape sequences with no confirmation prompt. Any malicious remote host, compromised program, or hostile output stream rendered in the terminal can silently exfiltrate clipboard contents (e.g. copied passwords or tokens) or plant attacker text for the user to later paste. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix commit is public; CVSS is 8.1 (High).
Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.
Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.
Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim's device to exploit a. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required. No vendor patch available.
Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an insufficient access control policy on an IPC Named Pipe. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<= 2022.12.582.0) to perform privileged operations with SYSTEM context. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Cloudflare WARP client for Windows (up to v. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026.05.06.15.42.stable_01) arises because the Markdown link handler routes resolved local-file links to the operating system's default file opener. A malicious Markdown document or project repository can embed a benign-looking local-file link that, when clicked, hands an executable (such as an extensionless shell script) to the platform file opener (e.g. NSWorkspace.openURL on macOS) instead of a safe viewer/editor, executing it. There is no public exploit identified at time of analysis, but the fix is confirmed in 0.2026.05.06.15.42.stable_01 and the root cause is documented in the upstream commit and GHSA advisory.
Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell when they click that branch in the UI. It affects Warp builds from 0.2025.08.06.08.12.stable_00 up to the fix in 0.2026.05.06.15.42.stable_01, and is exploitable by anyone able to publish a branch to a repository the victim opens in Warp. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stable_01) lets malicious terminal output silently drop attacker-controlled files onto disk. Warp honored non-inline OSC 1337;File (and multipart MultipartFile) iTerm2 escape sequences by base64-decoding the payload and writing it to the active block's current working directory using the attacker-supplied filename, with no confirmation prompt. Because shell startup files such as .zshenv can be overwritten this way, the write converts into code execution on the victim's host; no public exploit identified at time of analysis and the issue is not in CISA KEV.
Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_00 through the fix in 0.2026.05.06.15.42.stable_01) lets denylisted, confirmation-required commands auto-execute. Because the non-interactive CLI agent matched command strings against its denylist before stripping leading environment-variable assignments, an attacker able to influence the agent's emitted command output (e.g., via prompt injection) can prefix a blocked command such as 'rm' with 'X=1' to evade the safety boundary. No public exploit is identified at time of analysis, and it is not listed in CISA KEV.
Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2026.05.06.15.42.stable_01) lets an attacker run arbitrary shell commands as the local user when a victim opens a maliciously named file through an affected external or system-default editor route. Warp expanded freedesktop .desktop Exec templates and passed the result to a shell, so shell metacharacters embedded in a file path are interpreted rather than treated as data. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; impact is high (CVSS 7.8) but requires local context and user interaction.
Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell syntax that runs as the victim's authenticated SSH account. Affecting Warp from 0.2023.03.21.08.02.stable_00 up to (but not including) 0.2026.05.06.15.42.stable_01, the flaw stems from the terminal trusting the remote working directory, repository, or directory name reported by an SSH session when assembling helper commands for metadata collection. No public exploit identified at time of analysis, though the fix commit ships regression tests that demonstrate the breakout; not listed in CISA KEV and no EPSS provided.
Terminal lifecycle hook spoofing in Warp versions prior to 0.2026.05.06.15.42.stable_01 allows an attacker who controls terminal output viewed by a victim to inject unauthenticated shell integration hooks into the PTY stream, causing Warp to accept falsified session metadata - including spoofed current working directory and SSH session transport parameters. Exploitation requires user interaction (the victim must view attacker-controlled terminal content in Warp), and no public exploit code has been identified at time of analysis. The CVSS-assigned availability impact (A:L) and absence of integrity impact (I:N) appear inconsistent with the described spoofing behavior; session state falsification is the primary operational concern for affected users.
OS command injection in Warp (the agentic terminal/development environment) affects builds from 0.2024.03.12.08.02.stable_01 up to the fix in 0.2026.05.06.15.42.stable_01 when running under Windows Subsystem for Linux. When wslview cannot open a URL, Warp falls back to a Windows command processor (cmd.exe /c start), so a malicious URL emitted into terminal output executes attacker-controlled Windows commands once the user clicks the link. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix commit clearly documents the injection path.
OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search operations and execute arbitrary shell commands in the user's terminal. Affected builds from 0.2025.04.09.08.11.stable_00 up to 0.2026.05.06.15.42.stable_01 implement the Grep and FileGlob actions — which the Agent's command-execution policy authorizes only as read/search — by concatenating Agent-supplied search text, paths, and glob patterns into unquoted shell command strings. There is no public exploit identified at time of analysis, though the vendor fix commit and its regression tests publicly demonstrate the injection technique (e.g. a $(touch /tmp/warp-poc) payload).
Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stable_01) lets attacker-controlled terminal output read and write the host desktop clipboard via OSC 52 escape sequences with no confirmation prompt. Any malicious remote host, compromised program, or hostile output stream rendered in the terminal can silently exfiltrate clipboard contents (e.g. copied passwords or tokens) or plant attacker text for the user to later paste. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix commit is public; CVSS is 8.1 (High).
Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.
Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.
Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim's device to exploit a. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required. No vendor patch available.
Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an insufficient access control policy on an IPC Named Pipe. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<= 2022.12.582.0) to perform privileged operations with SYSTEM context. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Cloudflare WARP client for Windows (up to v. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.