CVE-2026-33718 Overview
CVE-2026-33718 is a Command Injection vulnerability affecting OpenHands, an AI-driven development platform. Starting in version 1.5.0, the get_git_diff() method at openhands/runtime/utils/git_handler.py:134 fails to properly sanitize the path parameter received from the /api/conversations/{conversation_id}/git/diff API endpoint. This unsanitized input is passed directly to a shell command, enabling authenticated attackers to execute arbitrary commands within the agent sandbox environment. While users are already permitted to instruct the agent to execute commands through normal channels, this vulnerability bypasses those controls entirely. Version 1.5.0 addresses this security issue.
Critical Impact
Authenticated attackers can inject arbitrary shell commands through the git diff API endpoint, bypassing normal agent command execution controls and potentially compromising the sandbox environment.
Affected Products
- OpenHands versions prior to 1.5.0
- OpenHands instances with the git diff API endpoint exposed
Discovery Timeline
- 2026-03-27 - CVE-2026-33718 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33718
Vulnerability Analysis
This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw resides in the git handling utility of OpenHands, specifically in how the application processes user-supplied path parameters when generating git diffs.
When an authenticated user makes a request to the /api/conversations/{conversation_id}/git/diff endpoint, the path parameter is accepted and subsequently passed to the get_git_diff() function without adequate input validation or sanitization. The function then incorporates this untrusted input directly into a shell command construction, creating an injection point that attackers can exploit.
The vulnerability is network-accessible and requires only low privileges (authentication) to exploit. No user interaction is required for successful exploitation. While the scope is unchanged (contained within the sandbox), successful exploitation can result in high confidentiality impact with lower impacts to integrity and availability of the sandbox environment.
Root Cause
The root cause of CVE-2026-33718 is the direct concatenation or interpolation of user-supplied input into a shell command string without proper sanitization. The path parameter from the API request is passed to the get_git_diff() method, which constructs a shell command (likely involving git diff) using this unsanitized input. Python's subprocess module, when used with shell=True or equivalent string-based command execution, interprets shell metacharacters in the input, allowing command injection. The Python subprocess Security Considerations documentation explicitly warns against this pattern. Proper remediation involves using shlex.quote() for input sanitization as documented in the Python shlex Documentation, or avoiding shell interpretation entirely by passing commands as a list of arguments.
Attack Vector
The attack vector is network-based, targeting the REST API endpoint /api/conversations/{conversation_id}/git/diff. An authenticated attacker crafts a malicious HTTP request containing shell metacharacters (such as ;, |, $(), or backticks) within the path parameter. When the vulnerable function processes this request, the injected commands execute within the context of the agent sandbox.
The vulnerability allows command chaining and arbitrary command execution. For example, an attacker could inject commands to read sensitive files, establish reverse shells, or manipulate the sandbox environment. The OWASP Command Injection Overview provides comprehensive documentation on command injection attack techniques and exploitation patterns relevant to this vulnerability.
Detection Methods for CVE-2026-33718
Indicators of Compromise
- Unusual characters in path parameters within git diff API request logs, including semicolons (;), pipes (|), backticks, or $() subshell syntax
- Unexpected process spawns originating from the OpenHands runtime process, particularly shells or network utilities
- API requests to /api/conversations/{conversation_id}/git/diff with abnormally long or encoded path values
- Evidence of reconnaissance commands (e.g., whoami, id, uname) in sandbox execution logs
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block command injection patterns in API parameters targeting the git diff endpoint
- Deploy runtime application self-protection (RASP) to monitor subprocess calls originating from the git_handler.py module
- Configure API gateway logging to capture full request bodies for the affected endpoint and alert on suspicious patterns
- Enable process monitoring within sandbox environments to detect anomalous child process creation
Monitoring Recommendations
- Monitor API access logs for repeated requests to the git diff endpoint with varying path parameters, which may indicate exploitation attempts
- Implement anomaly detection on command execution patterns within agent sandboxes to identify unusual activity
- Track and alert on network connections originating from sandbox environments that deviate from expected behavior
- Review OpenHands application logs for errors related to shell command execution in the git handler module
How to Mitigate CVE-2026-33718
Immediate Actions Required
- Upgrade OpenHands to version 1.5.0 or later, which contains the fix for this vulnerability
- If immediate upgrade is not possible, implement network-level restrictions to limit access to the git diff API endpoint to trusted sources only
- Review API access logs for evidence of exploitation attempts prior to patching
- Apply additional input validation at the API gateway or reverse proxy level for the affected endpoint
Patch Information
The vulnerability is addressed in OpenHands version 1.5.0. The fix is documented in GitHub Pull Request #13051, which implements proper input sanitization for the path parameter before shell command construction. Organizations should upgrade to version 1.5.0 or later immediately. For detailed technical information about the vulnerability and fix, refer to the GitHub Security Advisory GHSA-7h8w-hj9j-8rjw.
Workarounds
- Restrict network access to the /api/conversations/{conversation_id}/git/diff endpoint using firewall rules or reverse proxy configurations until the patch can be applied
- Implement a WAF rule to block requests containing shell metacharacters in the path parameter
- Temporarily disable the git diff functionality if it is not critical to operations
- Add authentication rate limiting to slow potential automated exploitation attempts
# Example nginx configuration to restrict access to the vulnerable endpoint
location ~ ^/api/conversations/.*/git/diff {
# Restrict to trusted IP ranges only
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Pass to upstream if allowed
proxy_pass http://openhands_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
