CVE-2026-29783: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in github copilot-cli
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.
AI Analysis
Technical Summary
CVE-2026-29783 is an OS command injection vulnerability classified under CWE-78 affecting GitHub Copilot CLI versions up to and including 0.0.422. The vulnerability stems from the CLI's shell tool safety assessment mechanism, which attempts to classify shell commands as either read-only (safe) or write-capable (requiring user approval) before execution. However, this safety layer fails to properly neutralize certain bash parameter expansion features that can embed executable code within arguments to commands that appear read-only. Specifically, dangerous patterns include ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested command substitutions $(cmd) or process substitutions <(cmd) inside ${...} expansions. An attacker who can influence the command text sent to the shell tool—via prompt injection through malicious repository content (such as README files, code comments, or issue bodies), compromised MCP server responses, or crafted user instructions—can exploit these expansions to execute arbitrary commands on the victim's workstation. This bypasses the safety assessment because the commands appear to use only read-only utilities but ultimately perform write or destructive operations. The vulnerability allows arbitrary code execution without requiring prior authentication or elevated privileges, though user interaction is needed to trigger the vulnerable CLI commands. The impact includes potential data exfiltration, unauthorized file modifications, and further system compromise. The vulnerability was publicly disclosed and patched in version 0.0.423 of GitHub Copilot CLI. The CVSS v4.0 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported as of the publication date.
Potential Impact
The vulnerability poses a significant risk to organizations using GitHub Copilot CLI versions up to 0.0.422, particularly developers and DevOps teams who rely on this tool for shell command assistance. Successful exploitation can lead to arbitrary code execution on the user's workstation, enabling attackers to exfiltrate sensitive data, modify or delete files, implant persistent malware, or pivot to other systems within the network. Since the attack vector includes prompt injection through repository files or server responses, supply chain attacks and insider threats are plausible. The bypass of the safety assessment means that users may unknowingly execute malicious commands under the guise of safe operations, increasing the likelihood of exploitation. The requirement for user interaction limits automated mass exploitation but does not eliminate risk, especially in environments where automated scripts or CI/CD pipelines invoke the CLI. The widespread adoption of GitHub Copilot CLI in software development environments globally amplifies the potential impact, affecting confidentiality, integrity, and availability of development workstations and potentially connected infrastructure.
Mitigation Recommendations
1. Immediate upgrade to GitHub Copilot CLI version 0.0.423 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of any input that can influence commands executed by the CLI, including repository files (README, code comments, issue bodies), MCP server responses, and user instructions. 3. Restrict or monitor the use of Copilot CLI in automated environments or CI/CD pipelines to prevent unintentional execution of injected commands. 4. Educate developers and users about the risks of prompt injection and encourage cautious review of repository content and external inputs that may affect CLI behavior. 5. Employ endpoint detection and response (EDR) tools to monitor for suspicious command execution patterns indicative of exploitation attempts. 6. Consider isolating development environments or using containerization to limit the blast radius of potential compromises. 7. Review and tighten permissions and approval workflows around write-capable operations initiated via the CLI to detect anomalous activities. 8. Monitor GitHub advisories and security updates for any emerging exploit reports or additional patches.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Japan, India, Netherlands, South Korea, Israel, Singapore
CVE-2026-29783: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in github copilot-cli
Description
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-29783 is an OS command injection vulnerability classified under CWE-78 affecting GitHub Copilot CLI versions up to and including 0.0.422. The vulnerability stems from the CLI's shell tool safety assessment mechanism, which attempts to classify shell commands as either read-only (safe) or write-capable (requiring user approval) before execution. However, this safety layer fails to properly neutralize certain bash parameter expansion features that can embed executable code within arguments to commands that appear read-only. Specifically, dangerous patterns include ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested command substitutions $(cmd) or process substitutions <(cmd) inside ${...} expansions. An attacker who can influence the command text sent to the shell tool—via prompt injection through malicious repository content (such as README files, code comments, or issue bodies), compromised MCP server responses, or crafted user instructions—can exploit these expansions to execute arbitrary commands on the victim's workstation. This bypasses the safety assessment because the commands appear to use only read-only utilities but ultimately perform write or destructive operations. The vulnerability allows arbitrary code execution without requiring prior authentication or elevated privileges, though user interaction is needed to trigger the vulnerable CLI commands. The impact includes potential data exfiltration, unauthorized file modifications, and further system compromise. The vulnerability was publicly disclosed and patched in version 0.0.423 of GitHub Copilot CLI. The CVSS v4.0 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported as of the publication date.
Potential Impact
The vulnerability poses a significant risk to organizations using GitHub Copilot CLI versions up to 0.0.422, particularly developers and DevOps teams who rely on this tool for shell command assistance. Successful exploitation can lead to arbitrary code execution on the user's workstation, enabling attackers to exfiltrate sensitive data, modify or delete files, implant persistent malware, or pivot to other systems within the network. Since the attack vector includes prompt injection through repository files or server responses, supply chain attacks and insider threats are plausible. The bypass of the safety assessment means that users may unknowingly execute malicious commands under the guise of safe operations, increasing the likelihood of exploitation. The requirement for user interaction limits automated mass exploitation but does not eliminate risk, especially in environments where automated scripts or CI/CD pipelines invoke the CLI. The widespread adoption of GitHub Copilot CLI in software development environments globally amplifies the potential impact, affecting confidentiality, integrity, and availability of development workstations and potentially connected infrastructure.
Mitigation Recommendations
1. Immediate upgrade to GitHub Copilot CLI version 0.0.423 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of any input that can influence commands executed by the CLI, including repository files (README, code comments, issue bodies), MCP server responses, and user instructions. 3. Restrict or monitor the use of Copilot CLI in automated environments or CI/CD pipelines to prevent unintentional execution of injected commands. 4. Educate developers and users about the risks of prompt injection and encourage cautious review of repository content and external inputs that may affect CLI behavior. 5. Employ endpoint detection and response (EDR) tools to monitor for suspicious command execution patterns indicative of exploitation attempts. 6. Consider isolating development environments or using containerization to limit the blast radius of potential compromises. 7. Review and tighten permissions and approval workflows around write-capable operations initiated via the CLI to detect anomalous activities. 8. Monitor GitHub advisories and security updates for any emerging exploit reports or additional patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-04T16:26:02.898Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ab0852c48b3f10ffb0e5bd
Added to database: 3/6/2026, 5:01:06 PM
Last enriched: 3/13/2026, 7:20:17 PM
Last updated: 4/20/2026, 10:46:35 AM
Views: 128
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.