CVE-2026-54699
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
Warp, an agentic development environment, contains an OS command injection vulnerability in the WSL URL-opening fallback. Versions from 0.2024.03.12.08.02.stable_01 to 0.2026.05.06.15.42.stable_01 are affected when Warp cannot open a URL through wslview and falls back to a Windows command processor path.
Risk Assessment
An attacker could exploit this vulnerability to execute arbitrary system commands on the user's machine, potentially leading to serious security breaches.
Recommendation
It is recommended to update Warp to version 0.2026.05.06.15.42.stable_01 or later to mitigate this vulnerability.
Original NVD description (English source)
Warp is an agentic development environment. From 0.2024.03.12.08.02.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains an OS command injection vulnerability in the WSL URL-opening fallback. When Warp is running under WSL and cannot open a URL through wslview, it falls back to a Windows command processor path. A URL controlled through terminal output can reach that fallback when the user opens the link. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

