Description
Impacted Warp versions contain a command execution policy bypass in Agent code search tools. The affected Grep and FileGlob actions are authorized as read/search operations, but their implementations build shell command strings from Agent-controlled inputs (search text, paths, glob patterns) and execute them in the active terminal session
Impact
An attacker who can influence Agent context or tool arguments, such as through malicious project instructions or prompt-injected local content, can cause a search action that appears read-only to execute shell syntax. This bypasses the command execution approval and allow/deny policy that would apply to an explicit command-running tool.
The resulting command runs with the privileges of the active Warp session. Exploitation requires user interaction: the user must invoke Warp Agent against attacker-influenced content.
Patch
The patch quotes complete search arguments, paths, and glob patterns as shell data before building the generated command strings, including PowerShell-specific handling.
Workarounds
Update to a patched Warp version. More intelligent models are typically more capable of resisting this kind of attack.
Credits
Thanks to the following reporters who responsibly disclosed this issue:
References
Description
Impacted Warp versions contain a command execution policy bypass in Agent code search tools. The affected
GrepandFileGlobactions are authorized as read/search operations, but their implementations build shell command strings from Agent-controlled inputs (search text, paths, glob patterns) and execute them in the active terminal sessionImpact
An attacker who can influence Agent context or tool arguments, such as through malicious project instructions or prompt-injected local content, can cause a search action that appears read-only to execute shell syntax. This bypasses the command execution approval and allow/deny policy that would apply to an explicit command-running tool.
The resulting command runs with the privileges of the active Warp session. Exploitation requires user interaction: the user must invoke Warp Agent against attacker-influenced content.
Patch
The patch quotes complete search arguments, paths, and glob patterns as shell data before building the generated command strings, including PowerShell-specific handling.
Workarounds
Update to a patched Warp version. More intelligent models are typically more capable of resisting this kind of attack.
Credits
Thanks to the following reporters who responsibly disclosed this issue:
References
v0.2026.05.06.15.42.stable_01