Warp: Nine Vulnerabilities Disclosed Together, Exploiting Command Injection and File Access
Warp, an agentic development environment, faces a critical disclosure of nine vulnerabilities including command injection, local file access, and clipboard manipulation.

Key findings
- Nine vulnerabilities disclosed for Warp on June 24, 2026, affecting multiple components.
- Multiple command injection flaws allow arbitrary code execution via branch names, env-var prefixes, external editors, and code search tools.
- Vulnerabilities enable unauthorized local file access, overwrites, and persistence through Markdown links and terminal output payloads.
- Clipboard access is compromised via OSC 52, allowing unauthorized data exfiltration or injection.
- Affected versions range up to 0.2026.05.06.15.42.stable_01; patched in 0.2026.05.06.15.42.stable_01.
On June 24, 2026, a batch of nine vulnerabilities was disclosed for Warp, an agentic development environment. These vulnerabilities, disclosed by CISA, span various components of the Warp application and primarily revolve around command injection, local file access, and clipboard manipulation. The affected versions range from early stable releases up to 0.2026.05.06.15.42.stable_01, with fixes available in version 0.2026.05.06.15.42.stable_01.
Several vulnerabilities center on command injection flaws. CVE-2026-48719 details a command injection vulnerability in the branch selector, where crafted Git branch names can be interpreted by the victim's shell. Similarly, CVE-2026-48721 describes a bypass of command execution permission checks in the default unsandboxed CLI agent profile, allowing denylisted commands to be auto-executed. On Linux systems, CVE-2026-48731 highlights a command injection issue in the external editor launcher, which expands freedesktop .desktop Exec templates. Furthermore, CVE-2026-48703 points to a command execution policy bypass in Warp's Agent code search tools, where Grep and FileGlob actions can be manipulated to build shell commands. Another command injection vulnerability, CVE-2026-54699, exists when opening terminal links from WSL, where a fallback mechanism to a Windows command processor can be exploited.
Beyond command injection, other vulnerabilities expose local file system and clipboard access. CVE-2026-48704 allows malicious Markdown documents to open executable local files through the operating system's default file handler. CVE-2026-48720 enables local file overwrite and persistence through non-inline OSC 1337;File payloads from terminal output, which are materialized as local files without confirmation. CVE-2026-54686 involves the spoofing of DCS lifecycle hooks, which can alter terminal session metadata by accepting state-mutating hooks from the PTY stream without proper verification. Finally, CVE-2026-48725 permits terminal output to access the local system clipboard via OSC 52, allowing malicious sources to read or write clipboard data.
The comprehensive nature of these vulnerabilities, disclosed on the same day, underscores the importance of updating Warp to the patched version, 0.2026.05.06.15.42.stable_01. Users are advised to apply this update promptly to mitigate risks associated with command execution, unauthorized file access, and clipboard data compromise. The wide range of affected versions indicates a long-standing exposure for many users, making the update particularly critical.