CVE-2026-33718
Command Injection in OpenHands Git Handler Enables Arbitrary Execution
Publication date: 2026-03-27
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openhands | openhands | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33718 is a command injection vulnerability in the OpenHands software, specifically in the `get_git_diff()` method. The issue arises because the `path` parameter received from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized into a shell command string. This allows authenticated attackers to inject and execute arbitrary shell commands within the agent sandbox.
The vulnerability occurs because the user-supplied `path` is embedded directly into a shell command executed with `shell=True` in Python's `subprocess.run()`. This enables shell metacharacters to be interpreted, bypassing normal command execution channels.
The root cause was the lack of proper sanitization or quoting of the `path` parameter before embedding it into the shell command. The fix applied was to use Python's `shlex.quote()` function to safely escape the user input, preventing injection by treating the input as a literal string.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to execute arbitrary commands on the system running OpenHands within the agent sandbox. Because the injected commands run with the privileges of the runtime container, an attacker can perform remote code execution (RCE).
Potential impacts include reading sensitive files, modifying or deleting data, installing malware, or disrupting service availability. The vulnerability can be exploited remotely via the vulnerable API endpoint, for example through Cross-Site Request Forgery (CSRF) attacks.
Overall, this represents a critical security risk that can compromise the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection through the unsanitized `path` parameter in the `/api/conversations/{conversation_id}/git/diff` API endpoint, which is executed via shell commands in the OpenHands runtime. Detection can focus on monitoring or testing this endpoint for suspicious command execution or injection attempts.
To detect exploitation attempts or test for the vulnerability, you can try sending crafted requests to the vulnerable API endpoint with payloads containing shell metacharacters such as `"; id #` or `"; calc; #` in the `path` parameter and observe if arbitrary commands execute.
On the system side, monitoring process executions spawned by the OpenHands runtime for unexpected commands or unusual subprocess invocations can help detect exploitation.
Since the vulnerability involves Python's subprocess module with `shell=True`, you can also audit logs or traces for subprocess calls that include suspicious shell metacharacters or unexpected commands.
Example commands to test or detect the vulnerability might include sending HTTP requests with payloads like:
- curl -X GET 'http://<openhands-host>/api/conversations/123/git/diff?path=test"; id #'
- curl -X GET 'http://<openhands-host>/api/conversations/123/git/diff?path=test"; calc; #'
If the system executes the injected commands (e.g., returns output of `id` or launches calculator), it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade OpenHands to version 1.5.0 or later, where the vulnerability is fixed by properly sanitizing the `path` parameter.
The fix involves applying Python's `shlex.quote()` function to the user-supplied `file_path` before embedding it into shell command strings, which safely escapes shell metacharacters and prevents command injection.
If upgrading immediately is not possible, as a temporary workaround, avoid exposing the vulnerable API endpoint or restrict access to trusted users only.
Additionally, review and audit any code that executes shell commands with user input, ensuring that subprocess calls use argument lists with `shell=False` where possible, or properly sanitize inputs using `shlex.quote()`.
Implement monitoring for suspicious subprocess executions and consider applying network-level controls to limit access to the vulnerable API.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33718 is a command injection vulnerability that allows authenticated attackers to execute arbitrary commands within the OpenHands agent sandbox. This can lead to unauthorized access to sensitive data such as environment files, API keys, and source code, as well as the ability to write malicious files or establish reverse shells.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized disclosure or modification.
Specifically, the ability to execute arbitrary commands and access sensitive files could lead to violations of data protection requirements, including confidentiality, integrity, and availability of protected data, thereby risking non-compliance with these regulations.