iTerm2 Flaw Enables Arbitrary Code Execution via SSH Integration

A severe remote code execution bug was disclosed in iTerm2, the popular macOS terminal emulator. Researchers at Calif partnered with OpenAI to show that iTerm2's SSH integration can be tricked into treating untrusted terminal output as a legitimate remote partner, enabling arbitrary command execution as the logged-in user. The issue is tracked as CVE-2026-41253 and affects stable builds through 3.6.9; a patch exists in source as of March 31, 2026 but a formal release had not been shipped at disclosure.

iTerm2's integration uses a lightweight remote helper called the conductor and carries protocol messages over standard terminal I/O through the PTY. The integration relies on terminal control sequences, specifically DCS 2000p for conductor session framing and OSC 135 for messaging. Because iTerm2 does not validate the provenance of these escape sequences, attacker-controlled output can impersonate the remote conductor. The exploit flow observed by researchers works when two conditions are met simultaneously: attacker-supplied escape sequences are displayed (for example via cat readme.txt, less, or head), and a small, executable helper script is present in the current working directory. iTerm2 then encodes commands in base64 and writes them into the PTY, which the helper can decode and execute, yielding a full shell as the local user.

Attackers can deliver the required two-piece chain in many realistic ways:

• •Bundled archives (zip, tar) that contain the crafted text plus a helper script and are unpacked locally
• •Cloned repositories or development checkouts that include both files and are opened in place
• •Compromised packages on registries like npm, PyPI, Composer, or Homebrew that ship both items inside the source tree
• •CTF challenge downloads, malware sample archives, or staged supply chain payloads where both files coexist

This is a high-impact client-side vulnerability because terminal emulators are ubiquitous among developers, security analysts, and operators. The attack bypasses many conventional defenses: it needs no binary download, no click, and can be triggered simply by viewing a file in iTerm2. The dependency on a local executable helper reduces automatic wormability but expands the threat surface through supply chain and repository contamination. The cooperation between a research shop and OpenAI underscores increasing cross-disciplinary collaboration to audit common developer tools.

Immediate steps for practitioners are practical and defensive. If you cannot immediately update to a patched build, disable iTerm2's SSH integration or avoid opening untrusted text files in iTerm2. Prefer viewing suspicious files in an alternative terminal that does not implement the same integration. Audit repositories and packages for unexpected executable helpers in source trees and remove execute permissions for untrusted files. When the vendor release is published, apply it promptly; the source fix exists but packaged releases may lag. Instrument local monitoring for unexpected base64 decode or process launches originating from terminal sessions.

Expect a formal iTerm2 release and vendor advisory, plus downstream advisories from package registries and major open source projects. Security teams should prioritize scanning developer environments and CI pipelines for repositories that could carry the two-file chain, and evaluate other terminal emulators for similar protocol trust issues.