CVE-2026-54686

Warp: DCS lifecycle hook spoofing can alter terminal session metadata

CVSS 4.3 MEDIUMEPSS 0.3%CWE-78 CWE-88

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 4.3EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

16 Jun 2026Public PoC

24 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepted certain state-mutating terminal lifecycle hooks from the PTY stream without verifying that the hooks were emitted by Warp's shell integration for the active session. An attacker who could cause a victim to view attacker-controlled terminal output in Warp could spoof selected lifecycle metadata, including the current working directory reported for the active block or SSH session transport metadata. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Affected products

warpdotdev · warp

public PoCs found — 1

githubgithub.com/Saku0512/CVE-2026-54686-poc★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/warpdotdev/warp/commit/32d21d15c9a3da1a923d1ed66226cf5cba081d16 https://github.com/warpdotdev/warp/commit/51bd3267803c5cc0a45074fa19fd50162be7c917 https://github.com/warpdotdev/warp/security/advisories/GHSA-9w2v-jhww-vm85