CVE-2026-48721
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
Warp is a development environment that contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. This vulnerability allows an attacker to treat denylisted commands as allowed.
Risk Assessment
Organizations may be exposed to unauthorized command execution, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to update Warp to version 0.2026.05.06.15.42.stable_01 to mitigate this vulnerability and review security measures to assess potential threats.
Original NVD description (English source)
Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

