Four Flaws in AI Agent Terminal Warp (CVE-2026-48704 and More) — Update to the Latest Build

Warp, a developer terminal with a built-in AI agent (an AI that carries out work on its own in response to instructions), has been found to contain four vulnerabilities (software flaws) at once. Their severity is 8.6 to 8.8 out of 10 (High), and the representative one is CVE-2026-48704.

All four were reported by GitHub and disclosed on June 24, 2026. The fixes are included in the stable build dated May 6, 2026 (0.2026.05.06.15.42.stable_01) and later. What they share is that merely opening a crafted document, receiving displayed output, or working in a malicious repository can lead to programs or file operations being run on your computer without your intent. If you are on an older version, update right away.

What kind of software is Warp?

Warp is a modern reimagining of the terminal (the black-screen tool where you type commands to operate a computer) that programmers use daily. Unlike an ordinary terminal, it has a built-in AI agent: ask it in plain language and it can devise and run commands, or take over investigating bugs and fixing code on your behalf.

It runs on macOS, Linux, and Windows, and has over 62,000 stars on GitHub. According to its official site, it is used even at Fortune 500 companies, and it is one of the more popular AI-assisted development tools.

Convenient as it is, Warp often acts on "what is displayed on screen" and "the files and repositories its AI agent touches," so if malicious content slips into those, operations the user never intended can be carried out. These four flaws are exactly this kind of weakness: how safely untrusted input is handled.

Who targets it, what they do, and what happens

The targets are developers who use Warp to handle externally received code and documents, or unfamiliar repositories (code storehouses). Streaming the output of a command found online to the screen, opening a distributed Markdown document (a document written with simple symbols for headings and lists), having the AI agent inspect someone else's repository—these everyday actions in development become the entry point.

What an attacker does is plant traps in such documents, output, or repository names so that, the moment a user opens or operates on them in Warp, a program runs or a file is written on the user's computer without intent. Each requires "the user to take one action" (clicking, receiving output, letting the AI work, and so on), but that action is the everyday work itself, which is what makes it easy to step on unawares.

Once code runs, the damage can spread fast: reading or rewriting files on the computer, or using SSH credentials (the mechanism for connecting securely to a remote server) to break into other servers. Because a developer's computer often holds keys to production and the cloud, a small entry point tends to lead to a large impact.

Letting an AI agent handle an unfamiliar repository ties into the question of how far to trust the external assets you bring in. Inspecting the code and packages you import is worth revisiting alongside the ideas in our OSS supply-chain scanner overview. Vulnerabilities that begin to be used in attacks can be added to the U.S. agency CISA's "list of vulnerabilities under active attack"; we maintain a Japanese-language overview in our CISA KEV Dashboard (Japanese edition).

What the four vulnerabilities are

All four stem from "how untrusted input is handled," but their entry points differ. Let us look at each in turn. All are fixed in the stable build dated May 6, 2026 and later.

CVE-2026-48704: a link in a crafted Markdown document opens an executable file (CVSS 8.8)

According to the published information, when opening a local file from a link in a document, Warp did not limit it to safe viewer/editor software but handed the file off to the OS's default app. An attacker can embed a link to an executable file inside a Markdown document that looks like ordinary text. When the user clicks it, an executable file that should not be opened launches as-is (GHSA-589x-4mxh-jcrf).

CVE-2026-48720: displayed output alone writes a file to disk (CVSS 8.8)

Terminals have a mechanism for mixing special control instructions (escape sequences) into output. In this flaw, when Warp received an instruction in the "OSC 1337;File" format from output, it wrote the contents to disk as a local file without an extra confirmation step. In other words, merely streaming the output of a malicious server or command to the screen could place an arbitrary file on the user's machine (GHSA-5h96-jrrq-6hxq).

CVE-2026-48721: the AI agent's permission check can be bypassed (CVSS 8.6)

Warp's default AI agent profile runs without a sandbox (a mechanism that isolates execution). In this flaw, the matching that rejects dangerous commands (checking against a denylist) was done before normalizing how environment-variable assignments were written, so crafting the syntax could slip past the check. As a result, command execution that should have been blocked passes through by bypassing the permission check (GHSA-3839-h8jj-ph82).

CVE-2026-48732: command injection via host and directory names on SSH connect (CVSS 8.8)

This flaw is in older processing that runs behind SSH connections. When building a helper command to gather information about the connection target, Warp used the remote working directory name and the like as-is. If an attacker plants a malicious string in a remote host name, repository name, or directory name, then the moment the user connects there over SSH, that string is interpreted as a command and arbitrary commands run with the user's SSH privileges (GHSA-qqpc-wvvw-4269).

A quick reference of what is risky

All four have "one user action" as the entry point. Here is which action leads to which flaw. All are fixed in the latest version.

None of these is fully no-click, since "you take one action," but that action is everyday work such as clicking or displaying output. The case of letting the AI agent handle an unfamiliar repository deserves particular care.

What to do now

The top priority is to update Warp to the latest version (the stable build dated May 6, 2026 or later). You can check for updates from Warp's settings. The version string is in a date-based format (e.g. 0.2026.05.06.15.42.stable_01), so confirm whether your build is at or after this.

If you cannot update immediately, these habits help: do not open links in documents of dubious origin, do not stream untrusted command or server output straight to your screen, and do not let the AI agent automatically touch unfamiliar repositories. When using the AI agent, run it in an isolated environment or with reduced privileges where possible. Limit SSH connections to trusted destinations. In case suspicious execution has already occurred, consider rotating the SSH and cloud credentials stored on your computer.

Summary

The four vulnerabilities found in the AI agent terminal Warp (CVE-2026-48704 / 48720 / 48721 / 48732) all stem from lax handling of untrusted input, allowing everyday actions—opening a document, displaying output, letting the AI work, connecting over SSH—to permit unintended program execution or file operations on your computer. Their severity is CVSS 8.6 to 8.8, and they are fixed in the stable build dated May 6, 2026 and later.

The more a tool lets AI carry out work on its own, the greater the damage when malice slips into the input it handles. If you use Warp, first check your version and, if it is old, update now. If new vulnerabilities concerning Warp emerge, we will track them by adding to this article.

References

• ▸NVD - CVE-2026-48704 (Markdown link opens an executable)
• ▸NVD - CVE-2026-48720 (output writes a file to disk)
• ▸NVD - CVE-2026-48721 (AI agent permission-check bypass)
• ▸NVD - CVE-2026-48732 (command injection on SSH connect)
• ▸Warp Security Advisories (GitHub, reporter)
• ▸GitHub - warpdotdev/warp (project, releases)
• ▸Warp official site (product overview, supported OS)