Description
Impacted Warp versions contain a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted.
Impact
Successful exploitation may allow commands that should require confirmation to run under the victim user's local shell authority.
Exploitation requires user interaction: the victim must run the unsandboxed CLI agent on attacker-controlled or prompt-injectable context, or otherwise receive a malicious agent response.
Patch
The patch canonicalizes commands for denylist evaluation by stripping leading environment-variable assignments before applying execution predicates.
Workarounds
Update a patched Warp build. If updating immediately is not possible, avoid running the unsandboxed CLI agent on untrusted or prompt-injectable content.
Credits
Thanks to the following reporter who responsibly disclosed this issue:
References
Description
Impacted Warp versions contain a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted.
Impact
Successful exploitation may allow commands that should require confirmation to run under the victim user's local shell authority.
Exploitation requires user interaction: the victim must run the unsandboxed CLI agent on attacker-controlled or prompt-injectable context, or otherwise receive a malicious agent response.
Patch
The patch canonicalizes commands for denylist evaluation by stripping leading environment-variable assignments before applying execution predicates.
Workarounds
Update a patched Warp build. If updating immediately is not possible, avoid running the unsandboxed CLI agent on untrusted or prompt-injectable content.
Credits
Thanks to the following reporter who responsibly disclosed this issue:
References
v0.2026.05.06.15.42.stable_01