CVE-2026-29783

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-29783

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29783.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-29783

Aliases

GHSA-g8r9-g2v8-jv6f

Published

2026-03-06T16:39:27.424Z

Modified

2026-04-02T13:23:01.503206Z

Severity

7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

GitHub Copilot CLI allows for dangerous shell expansion patterns that enable arbitrary command execution

Details

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423.

The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations.

The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29783.json"
}

References

Affected packages

Git / github.com/github/copilot-cli

Affected ranges

Type: GIT
Repo: https://github.com/github/copilot-cli
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7aa08b3594adc78d034dec8f34feefc8038dad64

Affected versions

v0.*

v0.0.328

v0.0.329

v0.0.330

v0.0.331

v0.0.332

v0.0.333

v0.0.334

v0.0.335

v0.0.336

v0.0.337

v0.0.338

v0.0.339

v0.0.340

v0.0.341

v0.0.342

v0.0.343

v0.0.344

v0.0.345

v0.0.346

v0.0.347

v0.0.348

v0.0.349

v0.0.350

v0.0.351

v0.0.352

v0.0.353

v0.0.354

v0.0.355

v0.0.355-37

v0.0.356

v0.0.356-0

v0.0.357

v0.0.357-0

v0.0.358

v0.0.358-0

v0.0.358-1

v0.0.359

v0.0.359-0

v0.0.360

v0.0.361

v0.0.361-0

v0.0.362

v0.0.362-0

v0.0.362-1

v0.0.363

v0.0.363-0

v0.0.363-1

v0.0.363-2

v0.0.364

v0.0.364-0

v0.0.365

v0.0.366

v0.0.366-0

v0.0.366-1

v0.0.366-2

v0.0.366-3

v0.0.366-5

v0.0.366-6

v0.0.366-7

v0.0.366-8

v0.0.366-9

v0.0.367

v0.0.367-0

v0.0.368

v0.0.368-0

v0.0.368-1

v0.0.368-2

v0.0.368-3

v0.0.368-4

v0.0.369

v0.0.369-0

v0.0.370

v0.0.370-0

v0.0.370-1

v0.0.370-5

v0.0.370-6

v0.0.370-7

v0.0.371

v0.0.371-0

v0.0.372

v0.0.373

v0.0.373-2

v0.0.373-3

v0.0.374

v0.0.375

v0.0.375-0

v0.0.375-1

v0.0.375-2

v0.0.376

v0.0.377

v0.0.378-0

v0.0.378-1

v0.0.378-2

v0.0.380

v0.0.381

v0.0.382

v0.0.382-0

v0.0.384

v0.0.385

v0.0.386

v0.0.387

v0.0.388

v0.0.388-0

v0.0.388-1

v0.0.389

v0.0.389-0

v0.0.389-1

v0.0.390

v0.0.392

v0.0.393

v0.0.394

v0.0.395

v0.0.396

v0.0.396-0

v0.0.397

v0.0.398

v0.0.399

v0.0.399-0

v0.0.400

v0.0.400-0

v0.0.401

v0.0.401-0

v0.0.401-1

v0.0.402

v0.0.402-0

v0.0.403

v0.0.404

v0.0.404-0

v0.0.405

v0.0.406

v0.0.406-0

v0.0.406-1

v0.0.407

v0.0.407-0

v0.0.407-1

v0.0.408

v0.0.409

v0.0.410

v0.0.410-0

v0.0.410-1

v0.0.411

v0.0.411-0

v0.0.411-1

v0.0.412

v0.0.412-0

v0.0.412-1

v0.0.412-2

v0.0.413

v0.0.413-0

v0.0.414

v0.0.415

v0.0.415-0

v0.0.415-1

v0.0.416

v0.0.417

v0.0.418

v0.0.418-0

v0.0.419

v0.0.419-0

v0.0.419-1

v0.0.420

v0.0.420-0

v0.0.421

v0.0.421-0

v0.0.421-1

v0.0.421-2

v0.0.422

v0.0.422-0

v0.0.422-1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29783.json"