Impact
Warp, an agentic development environment, includes a command execution permission‑check bypass in the default unsandboxed CLI agent profile. The bypass occurs because the system verifies command strings against a denylist before it canonicalizes leading environment‑variable assignments. An attacker who can influence the agent’s command output can therefore cause commands that should trigger user confirmation to slip past the denylist and be executed automatically. This flaw enables arbitrary command execution on the host where the agent runs, compromising confidentiality, integrity, and availability of the system.
Affected Systems
The vulnerability applies to Warp versions ranging from 0.2025.10.08.08.12.stable_00 through 0.2026.05.06.15.42.stable_01. The affected product is the Warp agent provided by warpdotdev. Users running any of these releases are at risk until they upgrade to a fixed version.
Risk and Exploitability
The CVSS score of 8.6 indicates a high‑severity vulnerability. EPSS data is not available, so the likelihood of exploitation cannot be quantified, but the flaw is listed outside CISA’s KEV catalog. Based on the description, it is inferred that the attack vector requires an attacker to inject or otherwise influence environment‑variable assignments that precede a command string, which could be achieved through compromised input streams, poor isolation of the CLI agent, or other indirect manipulation of command output. Once the bypass is triggered, the attacker can execute any command that is normally denylisted, potentially gaining full system control.
OpenCVE Enrichment