What happened
NVD published a cluster of 10 CVEs against Warp on 2026-06-24, all patched in the same stable release. The bugs span the entire agent attack surface: an AI agent code-search tool that builds shell commands from search patterns (CVE-2026-48703), a command denylist bypass in the non-interactive CLI agent profile (CVE-2026-48721), malicious terminal output writing local files via OSC escape (CVE-2026-48720), crafted Git branch names causing command injection in the prompt (CVE-2026-48719), legacy SSH session command injection via remote working directory (CVE-2026-48732), and clipboard exfiltration by terminal output (CVE-2026-48725).
Why it matters
Warp is an AI-first terminal widely used by developers who run AI coding agents (Claude Code, Cursor, Copilot) in it. These bugs mean a malicious repository, remote host, or webpage can execute code on the developer's machine through Warp's own agent execution surface — the exact environment where AI coding agents have elevated trust and broad filesystem/shell access.
Attack vector
Multiple vectors: (1) malicious Markdown file with local-file link executes via OS file handler; (2) OSC 1337;File terminal payload writes arbitrary local files; (3) crafted Git branch name injected into prompt branch selector executes OS commands; (4) CLI agent command denylist bypass via unsandboxed agent profile; (5) SSH remote working directory injection in legacy SSH path; (6) Grep/FileGlob agent tools build shell commands from attacker-controlled input; (7) terminal clipboard access requested by malicious remote host
Affected systems
Warp terminal < 0.2026.05.06.15.42.stable_01 (multiple CVEs: CVE-2026-48704, CVE-2026-48719, CVE-2026-48720, CVE-2026-48721, CVE-2026-48731, CVE-2026-48732, CVE-2026-48703, CVE-2026-48725, CVE-2026-54699, CVE-2026-54686)
Mitigation
Upgrade to Warp 0.2026.05.06.15.42.stable_01 or later. All CVEs fixed in the same release. References: https://github.com/warpdotdev/warp (individual commit links per CVE in NVD)