QSearchQSearch

CVE-2026-29783

7.8 HIGH

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash ...

Published: 2026-03-06 · Last updated: 2026-05-18

Severity and scoring

CVSS
7.8 HIGH
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-78

Affected products

VendorProduct
githubcopilot_command_line_interface

Description

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-48501 GitHub CLI (gh) is GitHub’s official command line tool (7.4 HIGH)
  • CVE-2026-9312 A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to... (8.2 HIGH)
  • CVE-2026-8606 A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the serve... (5.9 MEDIUM)
  • CVE-2026-45803 `gh` is GitHub’s official command line tool (3.5 LOW)
  • CVE-2026-45033 GitHub Copilot CLI brings AI-powered coding assistance directly to your command line (7.8 HIGH)

Same CWE

  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-42563 Dulwich is a pure-Python implementation of the Git file formats and protocols
  • CVE-2026-0273 A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrict...
  • CVE-2026-6893 A flaw was found in dracut (8.8 HIGH)
  • CVE-2026-46643 Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page