Description
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423.

The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations.

The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.
Published: 2026-03-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

GitHub Copilot CLI includes a shell tool that evaluates commands for safety before running them. This is a command‑injection vulnerability (CWE‑78). The assessment incorrectly classifies commands that contain certain bash parameter expansion patterns—such as ${var@P}, ${var=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${…}—as safe read‑only. An attacker who can influence the text sent to the shell (for instance, via prompt injection through repository files, malicious MCP server responses, or crafted user instructions) can embed executable code that the safety layer fails to detect, leading to arbitrary command execution on the user’s workstation. This can result in data exfiltration, file modification, or full system compromise.

Affected Systems

The vulnerability affects GitHub Copilot CLI versions up to and including 0.0.422. The affected product is the GitHub Copilot CLI itself, distributed by GitHub under the open source project name copilot-cli.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is below 1%, suggesting that while exploitation is unlikely at this moment, the potential impact is significant. The vulnerability is not listed in the CISA KEV catalog. An attacker who can supply malicious input to the shell tool—through repository content or prompt injection—can execute arbitrary code without requiring write permissions, as the attack bypasses the safety assessment that would normally flag non‑read‑only operations. No patch is available in older releases, meaning the risk persists until the user upgrades or mitigates the exposed input vectors.

Generated by OpenCVE AI on April 16, 2026 at 11:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GitHub Copilot CLI to version 0.0.423 or newer to remove the shell safety flaw
  • If upgrading immediately is not possible, block or disable the shell execution feature in the CLI configuration to prevent any command execution
  • Regularly review repository content and prompt logs for potential injection attempts and enforce strict code‑review policies to minimize malicious input

Generated by OpenCVE AI on April 16, 2026 at 11:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g8r9-g2v8-jv6f GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution
History

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github copilot
Vendors & Products Github
Github copilot

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.
Title GitHub Copilot CLI allows for dangerous shell expansion patterns that enable arbitrary command execution
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Github Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T03:56:38.092Z

Reserved: 2026-03-04T16:26:02.898Z

Link: CVE-2026-29783

cve-icon Vulnrichment

Updated: 2026-03-06T18:05:55.613Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T17:16:35.487

Modified: 2026-03-09T13:35:34.633

Link: CVE-2026-29783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses