CVE-2026-29783 is an OS command injection vulnerability in the GitHub Copilot CLI shell tool affecting versions up to and including 0.0.422. The root cause lies in the CLI's shell safety assessment mechanism, which attempts to classify shell commands as either read-only (safe) or write-capable (requiring user approval) before execution. However, the safety layer fails to properly neutralize special elements used in bash parameter expansion, such as ${var@P}, ${var=value}, ${var:=value}, ${!var}, and nested command substitutions like $(cmd) or <(cmd) inside ${...} expansions. These expansions can embed executable code within arguments to commands that appear read-only, effectively bypassing the safety checks. An attacker who can influence the command text executed by the CLI—via prompt injection through malicious repository content (e.g., README files, code comments, issue bodies), compromised MCP server responses, or crafted user instructions—can exploit this flaw to execute arbitrary commands on the user's workstation. This can lead to unauthorized data access, file modifications, or further system compromise. The vulnerability does not require prior privileges but does require user interaction to trigger the execution. The flaw has been addressed in version 0.0.423 by improving the command classification and neutralization of dangerous bash expansions. No known exploits are currently reported in the wild.

The impact of this vulnerability is significant for organizations using GitHub Copilot CLI versions up to 0.0.422. Successful exploitation allows attackers to execute arbitrary code on the user's machine, potentially leading to data exfiltration, unauthorized file modifications, or full system compromise. Since the vulnerability can be triggered via repository files or server responses, it poses a risk in collaborative development environments where untrusted or malicious code or metadata can be introduced. This could lead to supply chain attacks or insider threat scenarios. The ability to bypass safety checks and execute hidden commands increases the risk of stealthy attacks that evade detection. Organizations relying on Copilot CLI for development automation or code generation may face operational disruptions and data breaches if exploited. The requirement for user interaction somewhat limits automated exploitation but does not eliminate risk, especially in environments with frequent CLI usage and automated workflows.

1. Upgrade GitHub Copilot CLI to version 0.0.423 or later, where the vulnerability is patched. 2. Implement strict code review and validation processes for repository files, especially README files, code comments, and issue bodies, to prevent injection of malicious commands. 3. Restrict or monitor the use of Copilot CLI in environments where untrusted code or metadata can be introduced. 4. Employ runtime monitoring and endpoint detection to identify suspicious shell command executions originating from the CLI. 5. Educate users about the risks of executing commands from untrusted sources and encourage cautious interaction with CLI prompts. 6. If upgrading is not immediately possible, consider disabling or limiting the shell tool functionality within Copilot CLI to reduce exposure. 7. Audit and secure MCP server communications to prevent injection of malicious responses. 8. Use sandboxing or containerization to isolate CLI executions and limit potential damage from exploitation.