Impact
Warp is an agentic development environment that, in versions 0.2023.10.24.08.03.stable_00 through 0.2026.05.06.15.42.stable_01, may open executable local files through the operating system default file handler when a user clicks a local‑file link in a rendered Markdown document; this flaw allows an attacker to run arbitrary code on the host machine by embedding a malicious local‑file reference in a Markdown file.
Affected Systems
The affected product is Warp developed by warpdotdev; versions from 0.2023.10.24.08.03.stable_00 up to and including 0.2026.05.06.15.42.stable_01 are vulnerable.
Risk and Exploitability
The CVSS score of 8.8 indicates high severity. No EPSS data is available and the vulnerability is not listed in KEV, so no widespread exploitation is reported. The likely attack vector is local: an attacker delivers a crafted Markdown file to a targeted user; upon opening and clicking the link, the system handler executes the referenced file. The flaw is a CWE‑20 input validation error that lets the application forward a user‑supplied path to the OS.
OpenCVE Enrichment