CVE-2026-33718

Name of the Vulnerable Software and Affected Versions OpenHands versions prior to 1.5.0

Description OpenHands is software for AI-driven development. A Command Injection vulnerability exists in the get git diff() method at openhands/runtime/utils/git handler.py:134. The path parameter from the /api/conversations/{conversation id}/git/diff API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. The vulnerability stems from directly interpolating the file path parameter into a shell command string without sanitization, and using shell=True during command execution. An attacker can execute arbitrary commands, read sensitive files, write arbitrary files, establish reverse shells, and potentially escape the container.

Recommendations Update to version 1.5.0 or later.