Cyber Posture

CVE-2026-33718

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0022 44.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to…

more

execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of the unsanitized 'path' parameter before passing to shell commands, preventing command injection in get_git_diff().

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific command injection flaw by updating to the patched version 1.5.0.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions and inspections on high-risk inputs like the 'path' parameter to block malicious command injection payloads.

Security SummaryAI

CVE-2026-33718 is a command injection vulnerability in OpenHands, software for AI-driven development. The flaw exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`, where the `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command. This affects OpenHands starting in version 1.5.0, with version 1.5.0 fixing the issue. It is rated with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) and maps to CWE-78.

Authenticated attackers with low privileges can exploit the vulnerability over the network with low complexity and no user interaction. By supplying a malicious `path` parameter, they can execute arbitrary commands within the agent sandbox. Although users are already permitted to instruct the agent to execute commands through normal channels, this vulnerability bypasses those mechanisms.

The OpenHands GitHub security advisory (GHSA-7h8w-hj9j-8rjw) and pull request #13051 document the patch applied in version 1.5.0. Mitigation requires updating to the fixed version. Additional guidance from references emphasizes using `shlex.quote` for proper shell argument escaping, adhering to subprocess security considerations in Python documentation, and following OWASP recommendations to prevent command injection.

Details

CWE(s)
CWE-78

Affected Products

openhands
openhands
≤ 1.5.0

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: ai

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection vulnerability in a web API endpoint (/api/conversations/{conversation_id}/git/diff) allows authenticated low-privilege attackers to execute arbitrary shell commands, directly enabling exploitation of public-facing applications (T1190) and command interpreter execution via Unix Shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References