Warp Agent had a command execution policy bypass in the code search tools. Grep and FileGlob were treated as read-only search actions, but the implementations generated shell command strings from Agent-controlled input and executed those strings in the active terminal session.
The vulnerable surface was not grep or file globbing by itself. The issue was that search strings, paths, and glob patterns crossed a trust boundary from model-influenced data into shell command text.
That meant an attacker who could influence the Agent's context or tool arguments could hide shell syntax inside a search action, without going through the explicit command-execution approval path.
| Item | Value |
|---|---|
| Vendor | Warp |
| Product | Warp Agent |
| CVE | CVE-2026-48703 |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command |
| CVSS | 7.8 High |
| Affected Versions | >=v0.2025.04.09.08.11.stable_00 |
| Fixed Version | v0.2026.05.06.15.42.stable_01 |
| Fixed Commit | 43f4f483e0c2 |
| Primary Components | Agent code search tools: Grep and FileGlob |
| Primary Sink | Generated shell commands executed in the active terminal session |
The advisory describes the issue as a command execution policy bypass in Warp Agent's code search tools. The search actions were intended to inspect local files, but attacker-controlled query or glob values could be interpreted by the shell during command construction.
The bug is reached when attacker-influenced context causes Warp Agent to run a code search action with shell-sensitive input. The user is authorizing a search action, but the implementation path evaluates a generated shell command.
Grep / FileGlob
The Agent chooses a search query, target path, or glob pattern.
The important property is the policy mismatch. A user who allows code search is not making the same decision as a user who approves arbitrary shell execution. Pre-patch, those two paths could converge when search arguments reached shell syntax.
Warp Agent can choose code search arguments based on project context. That context may include repository files, task descriptions, or other untrusted text. The generated search arguments therefore cannot be treated as trusted shell fragments.
The vulnerable design assembled command strings for tools such as grep, git grep, find, git ls-files, or PowerShell Select-String / Get-ChildItem. Once a complete command is passed through a shell, characters such as quotes, command substitution, and command separators become security-sensitive.
Conceptually, a grep-style command had this shape:
vulnerable shape, simplifiedgrep --color=never -nrIHE --devices=skip -e "<query>" "<target_path>"Escaping only quote characters is not enough when the result is evaluated by a shell. In POSIX shells, command substitution such as $() still runs inside double quotes. In PowerShell, expandable strings also have their own evaluation rules.
A search query with this shape is therefore dangerous if it reaches the shell as syntax:
grep query shape$(touch /tmp/warp-agent-grep-poc)FileGlob could generate search commands using git ls-files, find, or PowerShell Get-ChildItem, depending on platform and repository state. A simplified find-based shape is:
find "<target_path>" -type f -name '<pattern>'If the pattern breaks out of the intended quoted argument, the rest of the generated command can become attacker-controlled shell syntax.
file glob pattern shapex' -o -name '*' -exec sh -c 'touch /tmp/warp-agent-fileglob-poc' ';' #That turns a file listing operation into command execution in the active terminal session.
| Dimension | Description |
|---|---|
| Attack Vector | Local developer workflow, typically through attacker-influenced repository content or task context |
| Required Privilege | The attacker must influence the Agent's search arguments; the victim must run Warp Agent against that context |
| User Interaction | The victim interacts with Warp Agent and permits or triggers a search action |
| Observed Result | Shell syntax embedded in a search argument can execute in the active Warp terminal session |
| Practical Impact | Local command execution as the user running Warp, including access to files, credentials, and tools available in that session |
The practical impact depends on the active terminal environment. A normal developer session may have access to private source code, SSH keys, cloud credentials, project secrets, and local build or deployment tools.
The following shapes are non-destructive and document the bug class. They create marker files under /tmp if the vulnerable command construction path evaluates the payload as shell syntax.
$(touch /tmp/warp-agent-grep-poc)x' -o -name '*' -exec sh -c 'touch /tmp/warp-agent-fileglob-poc' ';' #A vulnerable build can execute the marker-file command while attempting to run what appears to be a read-only search.
The fix changes command construction from escaping fragments inside shell strings to quoting each complete argument as shell data. The patch centralizes command construction and consistently quotes model-controlled values after the final argument value is assembled.
The patch applies this approach to grep queries, target paths, git pathspecs, find patterns, PowerShell Select-String patterns, and PowerShell Get-ChildItem include patterns.
v0.2026.05.06.15.42.stable_01 or later.
| Date | Event |
|---|---|
| 2026-05-06 | Patched release v0.2026.05.06.15.42.stable_01 listed in the advisory. |
| 2026-06-09 | GitHub advisory GHSA-8r78-7jwh-m6hm published. |
| 2026-06-09 | CVE-2026-48703 public. |
| 2026-06-10 JST | This private write-up added. |