Description
Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Published: 2026-06-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Warp, an agentic development environment, includes a command execution permission‑check bypass in the default unsandboxed CLI agent profile. The bypass occurs because the system verifies command strings against a denylist before it canonicalizes leading environment‑variable assignments. An attacker who can influence the agent’s command output can therefore cause commands that should trigger user confirmation to slip past the denylist and be executed automatically. This flaw enables arbitrary command execution on the host where the agent runs, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability applies to Warp versions ranging from 0.2025.10.08.08.12.stable_00 through 0.2026.05.06.15.42.stable_01. The affected product is the Warp agent provided by warpdotdev. Users running any of these releases are at risk until they upgrade to a fixed version.

Risk and Exploitability

The CVSS score of 8.6 indicates a high‑severity vulnerability. EPSS data is not available, so the likelihood of exploitation cannot be quantified, but the flaw is listed outside CISA’s KEV catalog. Based on the description, it is inferred that the attack vector requires an attacker to inject or otherwise influence environment‑variable assignments that precede a command string, which could be achieved through compromised input streams, poor isolation of the CLI agent, or other indirect manipulation of command output. Once the bypass is triggered, the attacker can execute any command that is normally denylisted, potentially gaining full system control.

Generated by OpenCVE AI on June 24, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Warp to version 0.2026.05.06.15.42.stable_01 or later, which contains the fix for the denial‑list bypass.
  • If upgrading immediately is not feasible, disable the unsandboxed CLI agent profile or switch to a sandboxed profile to enforce the command denylist and prevent unauthorized execution.
  • Validate and sanitize environment variables in any user‑supplied commands so that leading assignments are processed prior to the denylist check, ensuring the bypass cannot be triggered.
  • Monitor system logs for unexpected command executions and conduct periodic security audits to verify that the updated policy remains enforced.

Generated by OpenCVE AI on June 24, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Warpdotdev
Warpdotdev warp
Vendors & Products Warpdotdev
Warpdotdev warp

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Title Warp: Env-var prefixes can lead to denylisted command autoexecution
Weaknesses CWE-180
CWE-693
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T17:06:14.638Z

Reserved: 2026-05-22T18:47:27.756Z

Link: CVE-2026-48721

cve-icon Vulnrichment

Updated: 2026-06-25T17:06:10.553Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:40:36Z

Weaknesses
  • CWE-180

    Incorrect Behavior Order: Validate Before Canonicalize

  • CWE-693

    Protection Mechanism Failure