Command Injection in Warp legacy SSH background command path
CVE-2026-48732 is a command injection vulnerability in Warp, affecting versions from 0.2023.03.21.08.02.stable_00 up to but not including 0.2026.05.06.15.42.stable_01. The flaw exists in Warp’s legacy SSH background command path used for SSH-backed metadata collection. Warp incorporated the remote working directory reported by the SSH session into helper commands without safely neutralizing attacker-controlled shell syntax. If a remote host, repository, or directory name is attacker-controlled, it can inject additional shell metacharacters or shell syntax into the constructed helper command, causing unintended commands to execute on the remote host under the victim’s authenticated SSH account. The vendor indicates the issue was fixed by escaping embedded single quotes in the remote working directory before constructing the legacy SSH helper command.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone proof-of-concept for CVE-2026-48732 affecting Warp's legacy SSH background command handling. It contains two files: a README describing the vulnerability, affected/fixed versions, root cause, and usage; and a single Python script (poc.py) that serves as the exploit entry point. The script does not attack Warp or any remote host directly. Instead, it safely reproduces the vulnerable command-building pattern locally by generating a shell command of the form `cd '<cwd>' && pwd`, where the cwd is attacker-controlled and contains an embedded single quote to break out of the quoted argument. In vulnerable mode, this causes an injected `touch` command to execute and create a marker file; in fixed mode, embedded single quotes are escaped and the marker is not created. Structurally, the code is straightforward: helper functions build vulnerable and fixed command strings, a shell execution wrapper invokes `/bin/sh -c`, argument parsing exposes `--mode`, `--marker`, and `--keep-existing-marker`, and `main()` orchestrates temporary directory creation, malicious cwd construction, execution, and result reporting. The main exploit capability demonstrated is OS command injection leading to command execution, represented here by marker-file creation. Because the repository is a local simulation rather than a full remote exploit, it should be classified as a PoC rather than an operational exploit.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.