Skills
CVE-2026-29783: Copilot CLI Read-Only Allowlist Bypass — env Curl Downloads and Executes Malware Without Any User Approval
Prompt Armor disclosed that GitHub Copilot CLI's command validation can be bypassed using 'env' (listed as read-only) to pipe attacker-controlled payloads to sh, achieving arbitrary code execution without user approval. The injection can be stored in a README file from a cloned repo, web search results, or MCP tool responses. GitHub closed the report in one day, classifying it as a known issue that 'does not present a significant security risk' with no current fix planned.
Source
↳ Follow the thread