Description
Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp allows terminal output to request access to the local system clipboard. A malicious remote host, remote program, or other attacker-controlled terminal output source can trigger clipboard reads or writes without a separate confirmation step. This crosses the trust boundary between untrusted terminal output and the user's local desktop clipboard. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Published: 2026-06-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Warp allows terminal output to request direct read or write operations on the local system clipboard through OSC 52 without requiring a separate confirmation step. This flaw enables a malicious remote host, remote program, or attacker‑controlled terminal output source to leak or replace clipboard contents, compromising the confidentiality and integrity of data the user expects to be securely local.

Affected Systems

The vulnerability affects Warp versions from 0.2021.04.25.23.05.stable_00 up to, but not including, 0.2026.05.06.15.42.stable_01. Users running any of those releases on any platform can be impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity and the lack of an EPSS score means the exploitation probability is not quantified. The flaw is not listed in KEV, but its exploitation does not require special privileges, relying instead on attacker control over terminal output. An attacker who can inject terminal output into a Warp session can read or replace clipboard contents, potentially exfiltrating sensitive information or tampering with user data.

Generated by OpenCVE AI on June 24, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Warp to version 0.2026.05.06.15.42.stable_01 or newer, which removes the defect.
  • If an immediate update is not possible, configure Warp to disable OSC 52 clipboard handling or reject clipboard access requests from untrusted terminal input.
  • Limit or block external programs from producing terminal output in Warp sessions, and enforce strict trust boundaries for any terminal content that can interact with the local desktop.

Generated by OpenCVE AI on June 24, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp allows terminal output to request access to the local system clipboard. A malicious remote host, remote program, or other attacker-controlled terminal output source can trigger clipboard reads or writes without a separate confirmation step. This crosses the trust boundary between untrusted terminal output and the user's local desktop clipboard. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Title Warp may allow terminal output to access the local clipboard through OSC 52
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:19:07.246Z

Reserved: 2026-05-22T18:47:27.757Z

Link: CVE-2026-48725

cve-icon Vulnrichment

Updated: 2026-06-25T13:19:03.424Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:45:03Z

Weaknesses
  • CWE-276

    Incorrect Default Permissions