GitHub Advisory — Copilot CLI shell expansion RCE (CVE-2026-29783)

AI relevance: Copilot CLI is an AI-driven shell assistant; prompt-influenced command text that bypasses its safety checks can turn AI automation into arbitrary code execution.

• CVE-2026-29783 affects the Copilot CLI shell tool’s command safety assessment.
• Several bash parameter expansion forms (e.g., ${var@P}, ${var:=value}, ${!var}) can smuggle command execution into arguments.
• The safety layer may classify these as “read-only” commands, so they run without approval.
• Attackers can influence commands via malicious repo content, MCP server responses, or crafted instructions.
• Exploitation enables arbitrary code execution on the user’s workstation under the agent’s privileges.
• Affected versions are < 0.0.423 of @github/copilot-cli.
• GitHub’s fix downgrades risky expansions to write-capable and blocks them outright.

Why it matters

• Safety gates that depend on “read-only” classification are brittle when shell expansions can execute code.
• Agentic workflows routinely ingest untrusted repo text, which becomes a prompt-injection path into the shell tool.
• Even autopilot/auto-approve modes are protected only if the tool itself blocks dangerous patterns.

What to do

• Upgrade Copilot CLI to 0.0.423 or later.
• Review any shell command containing complex parameter expansions before approval.
• Limit exposure to untrusted repositories and MCP servers until patched.
• Log and alert on agent shell invocations that include unusual expansion patterns.

Sources

• GitHub Advisory Database — GHSA-g8r9-g2v8-jv6f
• Copilot CLI security advisory
• Copilot CLI v0.0.423 release
• NVD — CVE-2026-29783