cvedb.io
CVE-2022-4428
HIGH · CVSS 8.9
EPSS exploitation probability: 0%
Published 2023-01-11T17:15:09.383 · Last modified 2026-06-17T05:20:50.780

Summary

support_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the "Send feedback" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients).

Affected products

cloudflare — warp

Does this affect you?

Add your gear to cvedb and we'll alert you only when cloudflare ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.