CVE-2026-48721
Received Received - Intake
Command Execution Bypass in Warp CLI Agent

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-48721
EUVD
EUVD-2026-39016
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
warp warp From 0.2025.10.08.08.12.stable_00 (inc) to 0.2026.05.06.15.42.stable_01 (inc)
warpdotdev warp From 0.2025.10.08.08.12.stable_00 (inc) to 0.2026.05.06.15.42.stable_01 (inc)
warpdotdev warp 0.2026.05.06.15.42.stable_01
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-180 The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48721 is a vulnerability in the Warp terminal application affecting versions from 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01. It involves a command execution permission-check bypass in the default unsandboxed CLI agent profile, which uses a command denylist to block certain commands.

The issue arises because the denylist check was performed on the raw command string before removing leading environment-variable assignments. This means that commands prefixed with environment variables (e.g., "VAR=value command") could bypass the denylist if the denylist entry matched the command without the environment variable prefix.

An attacker who can influence the agent's command output could exploit this to have denylisted commands treated as allowed, potentially executing unauthorized commands.

Impact Analysis

This vulnerability can allow an attacker to bypass command execution restrictions in the Warp CLI agent, enabling the execution of commands that should have been blocked by the denylist.

Successful exploitation requires the attacker to influence the agent's command output and for the user to run the unsandboxed CLI agent in an attacker-controlled or prompt-injectable context.

If exploited, this could lead to unauthorized command execution with the user's local shell authority, potentially resulting in full compromise of the user's environment, including confidentiality, integrity, and availability impacts.

Detection Guidance

This vulnerability involves a command execution permission-check bypass in Warp's unsandboxed CLI agent profile, specifically when commands have leading environment-variable assignments that bypass the denylist.

To detect exploitation attempts or presence of this vulnerability on your system, you should monitor for commands that include environment-variable prefixes followed by denylisted commands, such as commands starting with patterns like `VAR=value denylisted_command`.

Since the vulnerability relates to command strings being checked before canonicalization, you can look for suspicious command executions in logs or shell histories that include environment variable assignments preceding denylisted commands.

Specific detection commands are not provided in the resources, but you might consider searching shell history or logs for patterns like:

  • grep -E '^[A-Z_]+=.+ (rm|sudo|dd|shutdown|reboot)' ~/.bash_history
  • auditd or system audit logs filtering for commands with environment variable prefixes followed by sensitive commands.

Additionally, monitoring for the use of the unsandboxed CLI agent in contexts where user interaction or prompt injection is possible may help detect attempts to exploit this vulnerability.

Mitigation Strategies

The primary mitigation step is to update Warp to the fixed version 0.2026.05.06.15.42.stable_01 or later, which includes a patch that strips leading environment-variable assignments from commands before evaluating the denylist.

If updating immediately is not possible, avoid running the unsandboxed CLI agent on untrusted content or in attacker-controlled or prompt-injectable contexts, as exploitation requires user interaction in such environments.

Review and tighten permissions and usage policies around the Warp CLI agent to minimize exposure.

Compliance Impact

This vulnerability allows an attacker to bypass command execution permission checks in the Warp CLI agent, potentially enabling execution of denylisted commands under the victim's local shell authority.

Such unauthorized command execution could lead to unauthorized access, data manipulation, or data leakage, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict controls over data access and system integrity.

Therefore, if exploited, this vulnerability could compromise the confidentiality, integrity, and availability of sensitive data, potentially resulting in non-compliance with these regulations.

Users are advised to update to the patched Warp version or avoid running the unsandboxed CLI agent on untrusted content to mitigate these risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart