Warp Fixes Command Injection Flaws in SSH Sessions and Git Branch Selection
Warp disclosed and patched multiple command injection vulnerabilities that could let attacker-controlled input reach shell commands in the terminal and development environment. One flaw, tracked as CVE-2026-48732 / GHSA-qqpc-wvvw-4269, affected legacy SSH background command handling from version v0.2023.03.21.08.02.stable_00 onward. Malicious remote host, repository, or directory names could inject shell syntax into helper commands used for SSH-backed metadata collection, allowing command execution on the remote host with the victim’s authenticated SSH account after user interaction in an affected legacy SSH session. Warp said the issue was fixed by escaping embedded single quotes in the remote working directory and released patched versions including v0.2026.05.06.15.42.stable_01 and v0.2026.05.13.09.15.stable_01.
A separate high-severity flaw, CVE-2026-48719, affected Warp versions from 0.2025.08.06.08.12.stable_00 through 0.2026.05.06.15.42.stable_01 and allowed a malicious Git branch name to be interpreted by the victim’s shell when selected from Warp’s prompt branch selector. Warp’s June code changes also show broader hardening of remote SSH session handling, including shell-specific escaping for single quotes before constructing commands such as cd and cat, plus tests covering Bash, Zsh, Fish, and PowerShell to keep crafted paths inert. The combined disclosures indicate that untrusted repository metadata and remote session context could be weaponized for command execution unless users upgrade to fixed releases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-48719 branch selector command injection is published
On 2026-06-24, CVE-2026-48719 was published as a high-severity Warp vulnerability affecting the prompt branch selector. The flaw allows a malicious Git branch name in a repository opened in Warp to be interpreted by the victim’s shell when selected from the UI, and remediation is to upgrade to v0.2026.05.06.15.42.stable_01 or later.
Warp discloses CVE-2026-48732 in legacy SSH background command path
On 2026-06-09, Warp published advisory GHSA-qqpc-wvvw-4269 for CVE-2026-48732, describing how attacker-controlled remote host, repository, or directory names could trigger unauthorized command execution on a remote host via legacy SSH metadata collection. The issue affects versions starting from v0.2023.03.21.08.02.stable_00 and requires user interaction in an affected legacy SSH session.
Warp releases fix for remote SSH command injection flaw
On 2026-06-09, Warp committed a patch for a command injection vulnerability in remote SSH session handling, adding shell-specific escaping for single quotes and tests across multiple shells. The GitHub advisory for CVE-2026-48732 says patched releases include v0.2026.05.06.15.42.stable_01 and v0.2026.05.13.09.15.stable_01.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-48719 - Warp branch selector command injection via Git branch names
cvefeed.io
Open sourceRemote SSH cwd can lead to unauthorized remote command execution · Advisory · warpdotdev/warp · GitHub
github.com
Open source[Security] Fix command injection in remote ssh sessions (#25354) · warpdotdev/warp@88c344e · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Warp Markdown Link Flaw Allowed Local Executables to Be Opened
Warp disclosed and patched **CVE-2026-48704** / **GHSA-589x-4mxh-jcrf**, a high-severity flaw in its Markdown notebook link handling that could cause executable local files to be opened through the operating system’s default file handler. The bug affects Warp versions from `0.2023.10.24.08.03.stable_00` up to, but not including, `0.2026.05.06.15.42.stable_01`, and could be triggered when a user clicked a malicious local-file link embedded in attacker-controlled Markdown content or a project. Successful exploitation could lead to code execution with the privileges of the Warp user, with confirmed impact on **macOS** and **Windows** and conditional impact on **Linux** depending on desktop environment and file-handler settings. Warp fixed the issue in version `0.2026.05.06.15.42.stable_01` by changing unsafe local-link behavior so files are revealed in the file manager instead of opened, and urged users to update immediately or avoid opening untrusted Markdown files and clicking embedded links until patched.
Jun 24, 2026
Dulwich Windows Git Path Flaw Enables Arbitrary File Write and RCE
A high-severity flaw in **Dulwich** tracked as `CVE-2026-42305` allows arbitrary file write and potential remote code execution on Windows when a user clones, fetches, or checks out a malicious Git repository. The bug affects versions `0.10.0` through `1.2.4` and stems from improper validation of tree entry names that Windows interprets as path syntax, including backslashes, NTFS alternate data stream markers, and NTFS `8.3` short-name aliases tied to `.git`. A crafted repository can write files outside the work tree or place executable content such as `.git\hooks\pre-commit.exe` inside the victim’s Git metadata, which Git for Windows may later execute in the user’s context. The project released **Dulwich 1.2.5** to fix the issue, correcting mishandled `core.protectNTFS` and `core.protectHFS` configuration names, enabling `core.protectNTFS` by default on all platforms, and tightening checks to block dangerous names including reserved Windows devices like `CON`, `NUL`, `COM1`, and `LPT1`. Release notes say the update also addresses other security bugs, including unsafe submodule path handling, shell command injection in `ProcessMergeDriver`, unsafe patch filename generation, and improper `receive.maxInputSize` enforcement. Maintainers said there is no effective workaround short of upgrading, and warned that even POSIX users can unknowingly propagate malicious trees to Windows users through pushes or republished repositories.
Jun 11, 2026
GitHub Patched Critical `git push` RCE Affecting Cloud and Enterprise Server
GitHub disclosed and patched **CVE-2026-3854**, a critical command-injection flaw in its `git push` pipeline that allowed an authenticated user with repository push access to trigger remote code execution using a single crafted push. Wiz reported the bug on March 4, and GitHub said it reproduced the issue within about 40 minutes and deployed a fix to GitHub.com within roughly two hours, later publishing patches for supported GitHub Enterprise Server releases including **3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3**. The vulnerability stemmed from unsanitized user-supplied push option values being inserted into internal `X-Stat` headers, enabling attackers to inject trusted metadata, bypass sandboxing, and execute commands as the `git` service user. Researchers said the flaw could have led to **full server compromise** on GitHub Enterprise Server and, on GitHub.com, code execution on shared storage infrastructure where millions of repositories were accessible to the git service account, creating potential cross-tenant exposure. GitHub said forensic analysis and telemetry found **no evidence of malicious exploitation** and no indication that customer data was accessed, modified, or exfiltrated, but urged Enterprise Server administrators to upgrade immediately and review logs for suspicious push activity. Wiz described the bug as easy to exploit and highlighted its use of AI-assisted reverse engineering tools, including **IDA MCP**, to uncover the issue in GitHub’s closed-source components.
May 6, 2026