Impact
Warp is an agentic development environment that, between versions 0.2024.02.20.08.01.stable_01 and 0.2026.05.06.15.42.stable_01, expands freedesktop .desktop Exec templates for external editor integrations and executes the expanded command through a shell. A user who opens an attacker-controlled local file path through an affected external editor or the system‑default editor route can cause shell syntax embedded in that path to execute as the local user. This provides a non‑privileged local attacker with the ability to run arbitrary shell commands, potentially leading to data exposure or modification of the user’s environment. The weakness is a classic operating‑system command injection flaw (CWE‑78).
Affected Systems
Warp (warp dot dev) versions from 0.2024.02.20.08.01.stable_01 up to and including 0.2026.05.06.15.42.stable_01 are affected. Users running these versions on Linux are vulnerable. No other vendors or products are listed.
Risk and Exploitability
The CVSS score of 7.8 indicates a high‑severity vulnerability. No EPSS score is available, and the issue is not listed in CISA KEV, suggesting that widespread exploitation has not yet been reported. The likely attack vector is a local user with access to Warp who opens a malicious file path; the vulnerability requires no network interaction. Given the local perspective, the risk is moderate to high when users open untrusted files in Warp. All users of the affected versions should consider remediation promptly.
OpenCVE Enrichment