CVE-2026-55743
Deferred Deferred - Pending Action
Command Injection in OpenHuman Desktop Agent

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-55743
EUVD
EUVD-2026-37722
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
tinyhumansai openhuman 0.54.0
tinyhumansai openhuman 0.54.22
tinyhumansai openhuman 0.56.0
tinyhumansai openhuman 0.53.49
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the shell tool command allowlist of the OpenHuman desktop agent's SecurityPolicy up to version 0.54.0. It allows attackers to bypass restrictions and execute arbitrary operating system commands with the privileges of the desktop user.

The issue arises from two combined flaws: first, the function is_args_safe() blocks certain dangerous find command flags (-exec and -ok) but does not block their functionally identical counterparts (-execdir and -okdir), which also execute arbitrary commands. Second, skip_env_assignments() removes leading inline environment variable assignments before validating commands against the allowlist, enabling attackers to inject malicious commands through environment-driven hooks like GIT_EXTERNAL_DIFF.

Because the sandbox is the main trust boundary between untrusted content processed by large language models and the host OS, an attacker can use indirect prompt injection via malicious documents, emails, calendar events, or web pages to run seemingly benign allowlisted commands that actually execute arbitrary commands, leading to remote code execution.

Impact Analysis

This vulnerability can have severe impacts including arbitrary command execution with the user's desktop privileges, which can lead to data exfiltration, unauthorized reading and writing of files, and lateral movement within the user's machine.

An attacker can exploit this flaw remotely by tricking the OpenHuman agent into running malicious commands embedded in seemingly harmless allowlisted commands, potentially compromising the entire system and sensitive data.

Detection Guidance

Detection of this vulnerability involves identifying if the OpenHuman desktop agent is running a vulnerable version (through 0.54.0) and if it is executing allowlisted shell commands that could be bypassed using the flawed validation of find command flags (-execdir, -okdir) or environment variable assignments (e.g., GIT_EXTERNAL_DIFF).

You can check the version of the OpenHuman agent installed on your system to see if it is prior to 0.54.22-staging or 0.56.0 where the fix was applied.

To detect exploitation attempts, monitor command executions involving the find command with -execdir or -okdir flags, or commands that use environment variable prefixes like GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND that could be used to inject arbitrary commands.

Suggested commands to help detect suspicious activity include:

  • Check OpenHuman version: `openhuman --version` or check installed package version.
  • Search running processes for suspicious find commands: `ps aux | grep 'find .* -execdir'` or `ps aux | grep 'find .* -okdir'`.
  • Audit shell command history for usage of find with -execdir/-okdir or environment variable assignments preceding allowlisted commands, e.g., `grep -E 'find .* (-execdir|-okdir)' ~/.bash_history`.
  • Monitor environment variables used in commands, especially those like GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND, for suspicious inline assignments.
Mitigation Strategies

The primary mitigation step is to upgrade the OpenHuman desktop agent to version 0.56.0 or later, where the vulnerability has been fixed by blocking the dangerous find command flags (-execdir, -okdir) and tightening validation of environment variable prefixes in commands.

If immediate upgrade is not possible, consider restricting or monitoring the use of the find command with -execdir and -okdir flags and disallowing inline environment variable assignments that could lead to command injection.

Additionally, review and tighten security policies around the execution of shell commands by the OpenHuman agent, especially under the Supervised security policy.

Implement network and host monitoring to detect suspicious command executions and potential exploitation attempts.

Compliance Impact

The vulnerability allows arbitrary command execution with the privileges of the desktop user, leading to potential data exfiltration, arbitrary file read/write, and lateral movement on the user's machine.

Such unauthorized access and data manipulation could compromise the confidentiality and integrity of sensitive personal or health data, thereby impacting compliance with regulations like GDPR and HIPAA that require strict controls on data protection and breach prevention.

Because the sandbox is the primary trust boundary between untrusted content and the host OS, this bypass undermines security assumptions critical for regulatory compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55743. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart