CVE-2026-54699 PUBLISHED

Warp: OS command injection when opening terminal links from WSL

Assigner: GitHub_M
Reserved: 15.06.2026 Published: 24.06.2026 Updated: 25.06.2026

Warp is an agentic development environment. From 0.2024.03.12.08.02.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains an OS command injection vulnerability in the WSL URL-opening fallback. When Warp is running under WSL and cannot open a URL through wslview, it falls back to a Windows command processor path. A URL controlled through terminal output can reach that fallback when the user opens the link. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 7.7

Attack Vector	Local	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	warpdotdev
Product	warp
Versions	Version >= 0.2024.03.12.08.02.stable_01, < 0.2026.05.13.09.15.stable_01 is affected

References

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE
CWE-116: Improper Encoding or Escaping of Output CWE