CVE-2026-29783 in copilot-cli
Summary
by MITRE • 03/06/2026
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423.
The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations.
The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/18/2026
The vulnerability identified as CVE-2026-29783 represents a critical security flaw in GitHub Copilot CLI versions up to and including 0.0.422, where the shell tool fails to properly sanitize user inputs before executing commands. This weakness enables attackers to perform arbitrary code execution through carefully crafted bash parameter expansion patterns that bypass the tool's safety mechanisms. The vulnerability specifically targets the CLI's shell safety assessment system which categorizes commands as either read-only (safe) or write-capable (requiring user approval). The flaw allows malicious actors to exploit bash parameter expansion operators to inject executable code within otherwise benign commands, effectively circumventing the security checks that are meant to prevent unauthorized operations. The patched version 0.0.423 addresses this issue by implementing stricter input validation and enhanced parsing of shell command arguments.
The technical root cause of this vulnerability lies in how the CLI's safety assessment system evaluates shell commands prior to execution. The system performs a static analysis of commands to determine their operational scope, classifying them as either read-only or write-capable based on the commands and arguments they contain. However, the implementation fails to account for the advanced bash parameter expansion features that can embed executable code within argument values. The dangerous expansion patterns include ${var@P} which performs parameter expansion with command substitution, ${var=value} and ${var:=value} which provide default value assignment with potential command execution, ${!var} which performs indirect expansion, and nested command substitutions within ${} expansions such as ${$(cmd)} or ${<(cmd)}. These operators allow attackers to construct command sequences that appear to use only read-only utilities while actually executing arbitrary code through the parameter expansion mechanisms. This vulnerability maps to CWE-78 Improper Neutralization of Special Elements used in an OS Command, as it involves improper handling of user-supplied data that can be interpreted as executable commands.
The operational impact of this vulnerability extends beyond simple code execution, as it can enable attackers to perform sophisticated attacks through various injection vectors. The attack surface includes prompt injection scenarios where malicious content can be embedded in repository files such as README files, code comments, issue bodies, or compromised MCP server responses. Additionally, attackers can craft user instructions containing obfuscated commands that exploit the vulnerability when processed by the Copilot CLI. Even in permission modes that require explicit user approval for write operations, this vulnerability allows attackers to bypass these protections because the commands appear to use only read-only utilities. The exploitation chain typically involves crafting malicious input that gets processed by the shell tool, where the parameter expansion operators execute hidden commands without triggering the safety assessment system's detection mechanisms. This vulnerability can lead to severe consequences including data exfiltration, file modification, system compromise, and potential lateral movement within compromised environments. The attack pattern aligns with ATT&CK technique T1059.006 Command and Scripting Interpreter: Bash, as it leverages bash shell features to execute malicious code through parameter expansion mechanisms. The vulnerability demonstrates how advanced shell features can be misused to bypass security controls, making it particularly dangerous in automated development environments where Copilot CLI is frequently used. Organizations using GitHub Copilot CLI should immediately update to version 0.0.423 or later to mitigate this risk, as the vulnerability can be exploited without requiring any special privileges beyond normal user access to the system where the tool is installed.