Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26982

CVE-2026-26982: Ghostty Terminal Emulator RCE Vulnerability

CVE-2026-26982 is a remote code execution flaw in Ghostty terminal emulator allowing invisible control characters in pasted text to execute arbitrary commands. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-26982 Overview

CVE-2026-26982 is a command injection vulnerability in Ghostty, a cross-platform terminal emulator. The vulnerability allows control characters such as 0x03 (Ctrl+C) to be included in pasted and dropped text. These invisible control characters can be used to execute arbitrary commands in certain shell environments when a user pastes or drags malicious text into the terminal.

This attack requires social engineering to convince a user to copy and paste or drag and drop malicious text into the Ghostty terminal. While user interaction is required, the dangerous characters are invisible in most GUI environments, making detection difficult, especially when the string contents appear complex or legitimate.

Critical Impact

Attackers can craft malicious clipboard content containing invisible control characters that execute arbitrary commands when pasted into Ghostty terminal sessions, potentially leading to system compromise.

Affected Products

  • Ghostty terminal emulator versions prior to v1.3.0
  • Cross-platform installations (macOS, Linux, Windows)
  • Users who copy/paste content from untrusted sources

Discovery Timeline

  • 2026-03-10 - CVE CVE-2026-26982 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-26982

Vulnerability Analysis

This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The root issue lies in Ghostty's failure to properly sanitize or strip control characters from clipboard content before allowing it to be pasted into the terminal.

When a user pastes text into a terminal emulator, the text is sent to the shell as if it were typed directly. Control characters embedded in the pasted content are interpreted by the shell, which can trigger command execution. For example, the 0x03 character (ASCII ETX) typically represents Ctrl+C, while other control characters like 0x0D (carriage return) or 0x0A (newline) can cause commands to be executed immediately.

The vulnerability requires user interaction but exploits the trust users place in copying text from websites, documents, or other applications. Since these control characters are not visible in most graphical user interfaces, malicious payloads can be hidden within seemingly benign text.

Root Cause

The root cause is insufficient input sanitization of clipboard and drag-and-drop content within Ghostty's text handling routines. The terminal emulator did not filter or warn users about potentially dangerous control characters present in pasted text before forwarding it to the shell.

Terminal emulators must distinguish between user-typed input and pasted content, applying appropriate sanitization to the latter since it may originate from untrusted sources. Ghostty versions prior to v1.3.0 failed to implement this distinction adequately.

Attack Vector

The attack vector is network-based in the sense that malicious content can be delivered via websites, emails, or shared documents. However, exploitation requires user interaction—specifically, the victim must copy and paste (or drag and drop) the malicious text into a Ghostty terminal session.

An attacker could craft a malicious string that appears to be a legitimate command or code snippet but contains hidden control characters. When the victim pastes this into their terminal, the embedded control characters can:

  1. Interrupt the current command with Ctrl+C (0x03)
  2. Clear the screen or manipulate terminal display
  3. Execute attacker-controlled commands via embedded newlines
  4. Exfiltrate data or download malicious payloads

The attack is particularly effective because the malicious characters are invisible in most text editors and web browsers, making the payload appear harmless.

Detection Methods for CVE-2026-26982

Indicators of Compromise

  • Unexpected command execution in terminal sessions following paste operations
  • Shell history entries containing commands the user did not intentionally type
  • Process execution logs showing commands initiated immediately after clipboard operations
  • Unusual outbound network connections originating from terminal sessions

Detection Strategies

  • Monitor shell history files for unexpected or suspicious commands that users don't recall executing
  • Implement endpoint detection rules that correlate clipboard activity with immediate command execution
  • Deploy behavioral analysis to detect anomalous process spawning patterns following paste events
  • Review process audit logs for command execution that coincides with user paste operations

Monitoring Recommendations

  • Enable comprehensive shell command logging on systems where Ghostty is used
  • Configure SentinelOne to monitor for suspicious process chains originating from terminal emulator processes
  • Implement clipboard monitoring on high-security endpoints to detect potentially malicious content
  • Alert on execution of common malicious payloads such as curl/wget downloads to suspicious domains

How to Mitigate CVE-2026-26982

Immediate Actions Required

  • Upgrade Ghostty to version v1.3.0 or later immediately
  • Review recent shell history for any unexpected command execution
  • Educate users about the risks of pasting content from untrusted sources into terminals
  • Consider temporarily restricting paste functionality in high-security environments until patching is complete

Patch Information

The vulnerability has been fixed in Ghostty v1.3.0. The fix involves sanitizing control characters from pasted and dropped text before it is sent to the shell. Users should update to this version immediately to mitigate the risk.

Technical details of the fix can be found in the GitHub commit and the associated pull request #10746. The official security advisory is available at the GitHub Security Advisory GHSA-4jxv-xgrp-5m3r.

Workarounds

  • Avoid copying and pasting commands or code from untrusted sources into Ghostty sessions
  • Manually type commands instead of pasting them, especially when the source is unknown
  • Use a text editor to inspect clipboard content for hidden characters before pasting into terminals
  • Consider using alternative terminal emulators until Ghostty can be updated to v1.3.0
  • Implement network-level controls to limit potential damage from command execution
bash
# Verify Ghostty version to ensure patch is applied
ghostty --version
# Expected output: v1.3.0 or higher

# Alternative: Check for the presence of control character sanitization
# by reviewing the configuration or testing with known safe inputs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne