Unrated severityNVD Advisory· Published Jun 24, 2026

Warp: DCS lifecycle hook spoofing can alter terminal session metadata

CVE-2026-54686

Description

Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepted certain state-mutating terminal lifecycle hooks from the PTY stream without verifying that the hooks were emitted by Warp's shell integration for the active session. An attacker who could cause a victim to view attacker-controlled terminal output in Warp could spoof selected lifecycle metadata, including the current working directory reported for the active block or SSH session transport metadata. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Warpdotdev/Warpllm-fuzzy
Range: >=0.2021.04.25.23.05.stable_00, <0.2026.05.06.15.42.stable_01

Patches

Vulnerability mechanics

References

github.com/warpdotdev/warp/commit/32d21d15c9a3da1a923d1ed66226cf5cba081d16mitrex_refsource_MISC
github.com/warpdotdev/warp/commit/51bd3267803c5cc0a45074fa19fd50162be7c917mitrex_refsource_MISC
github.com/warpdotdev/warp/security/advisories/GHSA-9w2v-jhww-vm85mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000