Search
Find a vulnerability
Search criteria
1 vulnerability by tinyhumansai
CVE-2026-55743 (GCVE-0-2026-55743)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:08 – Updated: 2026-06-17 15:40
VLAI
Title
OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution
Summary
The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/tinyhumansai/openhuman/commit/… | patch |
| https://github.com/tinyhumansai/openhuman/blob/v0… | technical-description |
| https://github.com/tinyhumansai/openhuman | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tinyhumansai | OpenHuman |
Affected:
0 , ≤ 0.54.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:40:33.751475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:40:47.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/tinyhumansai/openhuman",
"defaultStatus": "unaffected",
"platforms": [
"macOS",
"Windows",
"Linux"
],
"product": "OpenHuman",
"programFiles": [
"src/openhuman/security/policy.rs"
],
"programRoutines": [
{
"name": "is_args_safe"
},
{
"name": "skip_env_assignments"
}
],
"repo": "https://github.com/tinyhumansai/openhuman",
"vendor": "tinyhumansai",
"versions": [
{
"lessThanOrEqual": "0.54.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bobur Abdugafforov"
},
{
"lang": "en",
"type": "analyst",
"value": "Zikrillayev Salohiddin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe shell tool command allowlist in the \u003ccode\u003eSecurityPolicy\u003c/code\u003e of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in \u003ccode\u003esrc/openhuman/security/policy.rs\u003c/code\u003e combine: (1) \u003ccode\u003eis_args_safe()\u003c/code\u003e blocks the \u003ccode\u003efind\u003c/code\u003e flags \u003ccode\u003e-exec\u003c/code\u003e and \u003ccode\u003e-ok\u003c/code\u003e but not the functionally identical \u003ccode\u003e-execdir\u003c/code\u003e and \u003ccode\u003e-okdir\u003c/code\u003e, which also execute an arbitrary command for each matched file; and (2) \u003ccode\u003eskip_env_assignments()\u003c/code\u003e strips leading inline \u003ccode\u003eKEY=value\u003c/code\u003e environment-variable assignments before allowlist validation, so a command such as \u003ccode\u003eGIT_EXTERNAL_DIFF=\u0026lt;cmd\u0026gt; git diff\u003c/code\u003e is validated as the allowed \u003ccode\u003egit diff\u003c/code\u003e but, when executed via the shell, runs \u003ccode\u003e\u0026lt;cmd\u0026gt;\u003c/code\u003e through git\u0027s environment-driven hooks (for example \u003ccode\u003eGIT_EXTERNAL_DIFF\u003c/code\u003e or \u003ccode\u003eGIT_SSH_COMMAND\u003c/code\u003e). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user\u0027s machine. The issue was fixed in commit \u003ccode\u003e60050aa09a870f53ed7e4cd40ed41fd2860329e7\u003c/code\u003e (first released in 0.54.22-staging; first stable release 0.56.0), which blocks \u003ccode\u003e-execdir\u003c/code\u003e/\u003ccode\u003e-okdir\u003c/code\u003e for \u003ccode\u003efind\u003c/code\u003e.\u003c/p\u003e"
}
],
"value": "The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=\u003ccmd\u003e git diff is validated as the allowed git diff but, when executed via the shell, runs \u003ccmd\u003e through git\u0027s environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user\u0027s machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184 Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:08:33.726Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Fix commit (PR #2636): block find -execdir/-okdir",
"tags": [
"patch"
],
"url": "https://github.com/tinyhumansai/openhuman/commit/60050aa09a870f53ed7e4cd40ed41fd2860329e7"
},
{
"name": "Vulnerable source at v0.53.49-staging: src/openhuman/security/policy.rs",
"tags": [
"technical-description"
],
"url": "https://github.com/tinyhumansai/openhuman/blob/v0.53.49-staging/src/openhuman/security/policy.rs"
},
{
"tags": [
"product"
],
"url": "https://github.com/tinyhumansai/openhuman"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55743",
"datePublished": "2026-06-17T14:08:33.726Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-17T15:40:47.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}