{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33718", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.749Z", "datePublished": "2026-03-27T00:12:24.752Z", "dateUpdated": "2026-03-27T00:12:24.752Z"}, "containers": {"cna": {"title": "OpenHands is Vulnerable to Command Injection through its Git Diff Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw"}, {"name": "https://github.com/OpenHands/OpenHands/pull/13051", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenHands/OpenHands/pull/13051"}, {"name": "https://docs.python.org/3/library/shlex.html#shlex.quote", "tags": ["x_refsource_MISC"], "url": "https://docs.python.org/3/library/shlex.html#shlex.quote"}, {"name": "https://docs.python.org/3/library/subprocess.html#security-considerations", "tags": ["x_refsource_MISC"], "url": "https://docs.python.org/3/library/subprocess.html#security-considerations"}, {"name": "https://owasp.org/www-community/attacks/Command_Injection", "tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-community/attacks/Command_Injection"}], "affected": [{"vendor": "OpenHands", "product": "OpenHands", "versions": [{"version": "< 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:12:24.752Z"}, "descriptions": [{"lang": "en", "value": "OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue."}], "source": {"advisory": "GHSA-7h8w-hj9j-8rjw", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue."}], "id": "CVE-2026-33718", "lastModified": "2026-03-27T01:16:19.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:19.483", "references": [{"source": "security-advisories@github.com", "url": "https://docs.python.org/3/library/shlex.html#shlex.quote"}, {"source": "security-advisories@github.com", "url": "https://docs.python.org/3/library/subprocess.html#security-considerations"}, {"source": "security-advisories@github.com", "url": "https://github.com/OpenHands/OpenHands/pull/13051"}, {"source": "security-advisories@github.com", "url": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw"}, {"source": "security-advisories@github.com", "url": "https://owasp.org/www-community/attacks/Command_Injection"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "openhands", "vendor": "openhands"}], "analysis": {"en": {"generated_at": "2026-03-27T06:51:31.297957+00:00", "value": {"mitigation_remediation": ["Upgrade OpenHands to version 1.5.0 or later, which patches the command injection flaw.", "Restrict access to the /api/conversations/{conversation_id}/git/diff endpoint by limiting its use to trusted users and applying the least privilege principle to API permissions.", "If an upgrade cannot be performed immediately, temporarily disable the git diff endpoint or add input sanitization to quote the path until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary command execution in the agent sandbox"}, "threat_synthesis": {"affected_systems": "The flaw exists in all OpenHands releases prior to version 1.5.0. The affected component is the git diff handler located in openhands/runtime/utils/git_handler.py, and the vulnerability is triggered by calls to the aforementioned API endpoint. Only users with valid authentication who can access that endpoint are able to exploit the issue.", "description_and_impact": "A Command Injection flaw resides in the get_git_diff() function that builds a shell command with the path supplied by the /api/conversations/{conversation_id}/git/diff endpoint. Unsanitized input allows an authenticated user to inject arbitrary shell commands, which then run inside the agent\u2019s sandbox environment. The weakness is categorized as CWE\u201178, a classic command execution vulnerability that bypasses the normal command\u2010execution controls of OpenHands.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.6, indicating high severity. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the diff API; once invoked, the attacker can execute any shell command within the sandbox. While the compromise is confined to the sandbox, it can still lead to data exfiltration or privilege escalation if the sandbox has access to sensitive resources."}}}}, "created": "2026-03-27T08:31:15.431005+00:00", "updated": "2026-03-27T09:22:37.695003+00:00", "vendors": ["openhands", "openhands$PRODUCT$openhands"]}