GitHub Copilot CLI fixes shell parameter-expansion bypass that can lead to arbitrary code execution (CVE-2026-29783)

What happened

GitHub published a security advisory for GitHub Copilot CLI describing a vulnerability in its shell tool that can allow arbitrary code execution via crafted bash parameter expansion patterns. The advisory is tracked as CVE-2026-29783 and GHSA-g8r9-g2v8-jv6f.

The issue is that Copilot CLI's "shell safety assessment" can misclassify certain commands as read-only (safe to run without confirmation) even though bash expansion features can hide command execution inside arguments. This can let an attacker smuggle execution into seemingly safe commands like echo.

The advisory lists multiple dangerous patterns that can embed hidden execution, including ${var@P} prompt expansion (which can interpret embedded command substitutions), assignment side effects via ${var=value} / ${var:=value}, indirect expansion ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions.

A proof-of-concept shown in the advisory demonstrates a command that looks like a harmless echo but results in executing touch /tmp/pwned through chained parameter expansion and prompt expansion:

echo ${a="$"}${b="$a(touch /tmp/pwned)"}${b@P}

Who is impacted

According to the advisory, GitHub Copilot CLI versions <= 0.0.422 are affected. The patched version is 0.0.423.

The risk scenario called out is when an attacker can influence command text executed by the agent, including via prompt injection in repository content (e.g., README files, code comments, issue bodies), malicious/compromised MCP server responses, or crafted user instructions.

What to do now

• Upgrade GitHub Copilot CLI to 0.0.423 or later.
• Treat Copilot CLI shell suggestions as potentially attacker-influenced when operating in untrusted repos or with untrusted MCP servers.
• If you must run older versions temporarily, avoid executing agent-suggested commands containing complex ${...} expansions or suspicious operators like @P, :=, !, or embedded $(...)/<(...) inside expansions.

Additional Information

The advisory states the fix adds layered defenses: detection of dangerous expansions to ensure commands require approval, unconditional blocking of dangerous expansion patterns regardless of permission mode, and additional system-prompt hardening for the shell tool.

• CVE: CVE-2026-29783
• GHSA: GHSA-g8r9-g2v8-jv6f
• CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
• Affected versions: <= 0.0.422
• Patched version: 0.0.423