CVE-2026-48732
Warp: Remote SSH cwd can lead to unauthorized remote command execution
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Warp is an agentic development environment. From 0.2023.03.21.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the legacy SSH background command path. Warp used the remote working directory reported by the session when building helper commands for SSH-backed metadata collection. A remote host, repository, or directory name controlled by an attacker could cause that helper command to execute additional shell syntax on the remote host as the victim's authenticated SSH account. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.
| CWE | CWE-78 |
| Vendor | warpdotdev |
| Product | warp |
| Published | Jun 24, 2026 |
| Last Updated | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for warpdotdev warp
Be the first to know when new high vulnerabilities affecting warpdotdev warp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
warpdotdev / warp
>= 0.2023.03.21.08.02.stable_00, < 0.2026.05.13.09.15.stable_01