Executive Summary

CVE-2026-33718 is a command injection vulnerability in the OpenHands software, specifically in the `get_git_diff()` method. The issue arises because the `path` parameter received from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized into a shell command string. This allows authenticated attackers to inject and execute arbitrary shell commands within the agent sandbox.

The vulnerability occurs because the user-supplied `path` is embedded directly into a shell command executed with `shell=True` in Python's `subprocess.run()`. This enables shell metacharacters to be interpreted, bypassing normal command execution channels.

The root cause was the lack of proper sanitization or quoting of the `path` parameter before embedding it into the shell command. The fix applied was to use Python's `shlex.quote()` function to safely escape the user input, preventing injection by treating the input as a literal string.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated user to execute arbitrary commands on the system running OpenHands within the agent sandbox. Because the injected commands run with the privileges of the runtime container, an attacker can perform remote code execution (RCE).

Potential impacts include reading sensitive files, modifying or deleting data, installing malware, or disrupting service availability. The vulnerability can be exploited remotely via the vulnerable API endpoint, for example through Cross-Site Request Forgery (CSRF) attacks.

Overall, this represents a critical security risk that can compromise the confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves command injection through the unsanitized `path` parameter in the `/api/conversations/{conversation_id}/git/diff` API endpoint, which is executed via shell commands in the OpenHands runtime. Detection can focus on monitoring or testing this endpoint for suspicious command execution or injection attempts.

To detect exploitation attempts or test for the vulnerability, you can try sending crafted requests to the vulnerable API endpoint with payloads containing shell metacharacters such as `"; id #` or `"; calc; #` in the `path` parameter and observe if arbitrary commands execute.

On the system side, monitoring process executions spawned by the OpenHands runtime for unexpected commands or unusual subprocess invocations can help detect exploitation.

Since the vulnerability involves Python's subprocess module with `shell=True`, you can also audit logs or traces for subprocess calls that include suspicious shell metacharacters or unexpected commands.

Example commands to test or detect the vulnerability might include sending HTTP requests with payloads like:

• curl -X GET 'http://<openhands-host>/api/conversations/123/git/diff?path=test"; id #'
• curl -X GET 'http://<openhands-host>/api/conversations/123/git/diff?path=test"; calc; #'

If the system executes the injected commands (e.g., returns output of `id` or launches calculator), it indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade OpenHands to version 1.5.0 or later, where the vulnerability is fixed by properly sanitizing the `path` parameter.

The fix involves applying Python's `shlex.quote()` function to the user-supplied `file_path` before embedding it into shell command strings, which safely escapes shell metacharacters and prevents command injection.

If upgrading immediately is not possible, as a temporary workaround, avoid exposing the vulnerable API endpoint or restrict access to trusted users only.

Additionally, review and audit any code that executes shell commands with user input, ensuring that subprocess calls use argument lists with `shell=False` where possible, or properly sanitize inputs using `shlex.quote()`.

Implement monitoring for suspicious subprocess executions and consider applying network-level controls to limit access to the vulnerable API.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-33718 is a command injection vulnerability that allows authenticated attackers to execute arbitrary commands within the OpenHands agent sandbox. This can lead to unauthorized access to sensitive data such as environment files, API keys, and source code, as well as the ability to write malicious files or establish reverse shells.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized disclosure or modification.

Specifically, the ability to execute arbitrary commands and access sensitive files could lead to violations of data protection requirements, including confidentiality, integrity, and availability of protected data, thereby risking non-compliance with these regulations.

Useful 0 Not Useful 0