Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33718

CVE-2026-33718: OpenHands Command Injection Vulnerability

CVE-2026-33718 is a command injection flaw in OpenHands that allows authenticated attackers to execute arbitrary commands in the agent sandbox. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-33718 Overview

CVE-2026-33718 is a Command Injection vulnerability affecting OpenHands, an AI-driven development platform. Starting in version 1.5.0, the get_git_diff() method at openhands/runtime/utils/git_handler.py:134 fails to properly sanitize the path parameter received from the /api/conversations/{conversation_id}/git/diff API endpoint. This unsanitized input is passed directly to a shell command, enabling authenticated attackers to execute arbitrary commands within the agent sandbox environment. While users are already permitted to instruct the agent to execute commands through normal channels, this vulnerability bypasses those controls entirely. Version 1.5.0 addresses this security issue.

Critical Impact

Authenticated attackers can inject arbitrary shell commands through the git diff API endpoint, bypassing normal agent command execution controls and potentially compromising the sandbox environment.

Affected Products

  • OpenHands versions prior to 1.5.0
  • OpenHands instances with the git diff API endpoint exposed

Discovery Timeline

  • 2026-03-27 - CVE-2026-33718 published to NVD
  • 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-33718

Vulnerability Analysis

This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw resides in the git handling utility of OpenHands, specifically in how the application processes user-supplied path parameters when generating git diffs.

When an authenticated user makes a request to the /api/conversations/{conversation_id}/git/diff endpoint, the path parameter is accepted and subsequently passed to the get_git_diff() function without adequate input validation or sanitization. The function then incorporates this untrusted input directly into a shell command construction, creating an injection point that attackers can exploit.

The vulnerability is network-accessible and requires only low privileges (authentication) to exploit. No user interaction is required for successful exploitation. While the scope is unchanged (contained within the sandbox), successful exploitation can result in high confidentiality impact with lower impacts to integrity and availability of the sandbox environment.

Root Cause

The root cause of CVE-2026-33718 is the direct concatenation or interpolation of user-supplied input into a shell command string without proper sanitization. The path parameter from the API request is passed to the get_git_diff() method, which constructs a shell command (likely involving git diff) using this unsanitized input. Python's subprocess module, when used with shell=True or equivalent string-based command execution, interprets shell metacharacters in the input, allowing command injection. The Python subprocess Security Considerations documentation explicitly warns against this pattern. Proper remediation involves using shlex.quote() for input sanitization as documented in the Python shlex Documentation, or avoiding shell interpretation entirely by passing commands as a list of arguments.

Attack Vector

The attack vector is network-based, targeting the REST API endpoint /api/conversations/{conversation_id}/git/diff. An authenticated attacker crafts a malicious HTTP request containing shell metacharacters (such as ;, |, $(), or backticks) within the path parameter. When the vulnerable function processes this request, the injected commands execute within the context of the agent sandbox.

The vulnerability allows command chaining and arbitrary command execution. For example, an attacker could inject commands to read sensitive files, establish reverse shells, or manipulate the sandbox environment. The OWASP Command Injection Overview provides comprehensive documentation on command injection attack techniques and exploitation patterns relevant to this vulnerability.

Detection Methods for CVE-2026-33718

Indicators of Compromise

  • Unusual characters in path parameters within git diff API request logs, including semicolons (;), pipes (|), backticks, or $() subshell syntax
  • Unexpected process spawns originating from the OpenHands runtime process, particularly shells or network utilities
  • API requests to /api/conversations/{conversation_id}/git/diff with abnormally long or encoded path values
  • Evidence of reconnaissance commands (e.g., whoami, id, uname) in sandbox execution logs

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block command injection patterns in API parameters targeting the git diff endpoint
  • Deploy runtime application self-protection (RASP) to monitor subprocess calls originating from the git_handler.py module
  • Configure API gateway logging to capture full request bodies for the affected endpoint and alert on suspicious patterns
  • Enable process monitoring within sandbox environments to detect anomalous child process creation

Monitoring Recommendations

  • Monitor API access logs for repeated requests to the git diff endpoint with varying path parameters, which may indicate exploitation attempts
  • Implement anomaly detection on command execution patterns within agent sandboxes to identify unusual activity
  • Track and alert on network connections originating from sandbox environments that deviate from expected behavior
  • Review OpenHands application logs for errors related to shell command execution in the git handler module

How to Mitigate CVE-2026-33718

Immediate Actions Required

  • Upgrade OpenHands to version 1.5.0 or later, which contains the fix for this vulnerability
  • If immediate upgrade is not possible, implement network-level restrictions to limit access to the git diff API endpoint to trusted sources only
  • Review API access logs for evidence of exploitation attempts prior to patching
  • Apply additional input validation at the API gateway or reverse proxy level for the affected endpoint

Patch Information

The vulnerability is addressed in OpenHands version 1.5.0. The fix is documented in GitHub Pull Request #13051, which implements proper input sanitization for the path parameter before shell command construction. Organizations should upgrade to version 1.5.0 or later immediately. For detailed technical information about the vulnerability and fix, refer to the GitHub Security Advisory GHSA-7h8w-hj9j-8rjw.

Workarounds

  • Restrict network access to the /api/conversations/{conversation_id}/git/diff endpoint using firewall rules or reverse proxy configurations until the patch can be applied
  • Implement a WAF rule to block requests containing shell metacharacters in the path parameter
  • Temporarily disable the git diff functionality if it is not critical to operations
  • Add authentication rate limiting to slow potential automated exploitation attempts
bash
# Example nginx configuration to restrict access to the vulnerable endpoint
location ~ ^/api/conversations/.*/git/diff {
    # Restrict to trusted IP ranges only
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    # Pass to upstream if allowed
    proxy_pass http://openhands_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne