Back to overview

CVE-2026-54686

MEDIUM
4.3
CVSS 3.1
Description
Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepted certain state-mutating terminal lifecycle hooks from the PTY stream without verifying that the hooks were emitted by Warp's shell integration for the active session. An attacker who could cause a victim to view attacker-controlled terminal output in Warp could spoof selected lifecycle metadata, including the current working directory reported for the active block or SSH session transport metadata. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Metadata

CVE ID
CVE-2026-54686
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 22:53 UTC
Published
2026-06-24 17:28 UTC
Last updated
2026-06-24 17:28 UTC
Primary CWE
CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product
warpdotdev / warp
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Affected products (1)
VendorProductPlatformVersions
warpdotdev warp >= 0.2021.04.25.23.05.stable_00, < 0.2026.05.13.09.15.stable_01
Weakness (CWE)
CWESourceDescription
CWE-78 cna CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88 cna CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
References (3)
Back to overview