Description
Warp is an agentic development environment. From 0.2024.02.20.08.01.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the Linux external editor launcher. Warp expanded freedesktop .desktop Exec templates for affected editor integrations and executed the expanded command through a shell. A user who opens an attacker-controlled local file path through an affected external editor or system-default editor route can cause shell syntax embedded in that path to execute as the local user. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Warp is an agentic development environment that, between versions 0.2024.02.20.08.01.stable_01 and 0.2026.05.06.15.42.stable_01, expands freedesktop .desktop Exec templates for external editor integrations and executes the expanded command through a shell. A user who opens an attacker-controlled local file path through an affected external editor or the system‑default editor route can cause shell syntax embedded in that path to execute as the local user. This provides a non‑privileged local attacker with the ability to run arbitrary shell commands, potentially leading to data exposure or modification of the user’s environment. The weakness is a classic operating‑system command injection flaw (CWE‑78).

Affected Systems

Warp (warp dot dev) versions from 0.2024.02.20.08.01.stable_01 up to and including 0.2026.05.06.15.42.stable_01 are affected. Users running these versions on Linux are vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.8 indicates a high‑severity vulnerability. No EPSS score is available, and the issue is not listed in CISA KEV, suggesting that widespread exploitation has not yet been reported. The likely attack vector is a local user with access to Warp who opens a malicious file path; the vulnerability requires no network interaction. Given the local perspective, the risk is moderate to high when users open untrusted files in Warp. All users of the affected versions should consider remediation promptly.

Generated by OpenCVE AI on June 24, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Warp to version 0.2026.05.06.15.42.stable_01 or later, which contains the fixed external editor launcher.
  • Temporarily disable the external editor integration for untrusted file paths to prevent the expanded command from being executed through the shell.
  • Monitor system logs for unexpected shell command activity originating from Warp and audit executed commands for anomalies.

Generated by OpenCVE AI on June 24, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Warpdotdev
Warpdotdev warp
Vendors & Products Warpdotdev
Warpdotdev warp

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Warp is an agentic development environment. From 0.2024.02.20.08.01.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the Linux external editor launcher. Warp expanded freedesktop .desktop Exec templates for affected editor integrations and executed the expanded command through a shell. A user who opens an attacker-controlled local file path through an affected external editor or system-default editor route can cause shell syntax embedded in that path to execute as the local user. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
Title Warp: Linux external editor command injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T18:25:49.694Z

Reserved: 2026-05-22T19:10:35.745Z

Link: CVE-2026-48731

cve-icon Vulnrichment

Updated: 2026-06-24T18:25:27.775Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:40:38Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')