Description
Warp is an agentic development environment. From 0.2025.08.06.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Published: 2026-06-24
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection in Warp's prompt branch selector. When a user publishes a branch with a crafted name to a Git repository that Warp opens, the victim's shell interprets the branch name if they select that branch from the UI, allowing execution of arbitrary commands.

Affected Systems

Warp, an agentic development environment by warpdotdev, is vulnerable in versions from 0.2025.08.06.08.12.stable_00 through 0.2026.05.06.15.42.stable_01. The fix is included in release 0.2026.05.06.15.42.stable_01.

Risk and Exploitability

CVSS score of 8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The attacker must be able to push a malicious branch to a repository that the victim opens in Warp. Selecting the manipulated branch from the UI causes the victim's shell to execute commands embedded in the branch name. The risk is significant if an attacker can control branch names, particularly in shared or untrusted repositories.

Generated by OpenCVE AI on June 24, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Warp to version 0.2026.05.06.15.42.stable_01 or later to remove the command injection flaw.
  • Limit branch publishing rights to trusted users, ensuring only authorized personnel can add new branches to repositories accessed through Warp.
  • If an upgrade cannot be applied immediately, adopt a policy that sanitizes branch names or disables the branch selection UI for potentially untrusted branches to prevent the shell from interpreting malicious payloads.

Generated by OpenCVE AI on June 24, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Warpdotdev
Warpdotdev warp
Vendors & Products Warpdotdev
Warpdotdev warp

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Warp is an agentic development environment. From 0.2025.08.06.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Title Warp branch selector command injection via Git branch names
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:03:22.554Z

Reserved: 2026-05-22T18:47:27.756Z

Link: CVE-2026-48719

cve-icon Vulnrichment

Updated: 2026-06-24T19:03:09.669Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:40:32Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')