{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33718", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.749Z", "datePublished": "2026-03-27T00:12:24.752Z", "dateUpdated": "2026-03-27T20:04:54.607Z"}, "containers": {"cna": {"title": "OpenHands is Vulnerable to Command Injection through its Git Diff Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw"}, {"name": "https://github.com/OpenHands/OpenHands/pull/13051", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenHands/OpenHands/pull/13051"}, {"name": "https://docs.python.org/3/library/shlex.html#shlex.quote", "tags": ["x_refsource_MISC"], "url": "https://docs.python.org/3/library/shlex.html#shlex.quote"}, {"name": "https://docs.python.org/3/library/subprocess.html#security-considerations", "tags": ["x_refsource_MISC"], "url": "https://docs.python.org/3/library/subprocess.html#security-considerations"}, {"name": "https://owasp.org/www-community/attacks/Command_Injection", "tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-community/attacks/Command_Injection"}], "affected": [{"vendor": "OpenHands", "product": "OpenHands", "versions": [{"version": "< 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:12:24.752Z"}, "descriptions": [{"lang": "en", "value": "OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue."}], "source": {"advisory": "GHSA-7h8w-hj9j-8rjw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:04:41.208442Z", "id": "CVE-2026-33718", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:04:54.607Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33718", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:04:41.208442Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:04:51.082Z"}}], "cna": {"title": "OpenHands is Vulnerable to Command Injection through its Git Diff Handler", "source": {"advisory": "GHSA-7h8w-hj9j-8rjw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenHands", "product": "OpenHands", "versions": [{"status": "affected", "version": "< 1.5.0"}]}], "references": [{"url": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw", "name": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenHands/OpenHands/pull/13051", "name": "https://github.com/OpenHands/OpenHands/pull/13051", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.python.org/3/library/shlex.html#shlex.quote", "name": "https://docs.python.org/3/library/shlex.html#shlex.quote", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.python.org/3/library/subprocess.html#security-considerations", "name": "https://docs.python.org/3/library/subprocess.html#security-considerations", "tags": ["x_refsource_MISC"]}, {"url": "https://owasp.org/www-community/attacks/Command_Injection", "name": "https://owasp.org/www-community/attacks/Command_Injection", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:12:24.752Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33718", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:04:54.607Z", "dateReserved": "2026-03-23T17:06:05.749Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T00:12:24.752Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openhands:openhands:*:*:*:*:*:python:*:*", "matchCriteriaId": "FB590D9A-3D08-4968-B688-9BBC5061FCE2", "versionEndExcluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue."}, {"lang": "es", "value": "OpenHands es un software para el desarrollo impulsado por IA. A partir de la versi\u00f3n 1.5.0, existe una vulnerabilidad de inyecci\u00f3n de comandos en el m\u00e9todo 'get_git_diff()' en 'openhands/runtime/utils/git_handler.py:134'. El par\u00e1metro 'path' del endpoint de API '/api/conversations/{conversation_id}/git/diff' se pasa sin sanear a un comando de shell, permitiendo a atacantes autenticados ejecutar comandos arbitrarios en el sandbox del agente. Al usuario ya se le permite instruir al agente para ejecutar comandos, pero esto elude los canales normales. La versi\u00f3n 1.5.0 corrige el problema."}], "id": "CVE-2026-33718", "lastModified": "2026-04-10T15:23:47.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T01:16:19.483", "references": [{"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://docs.python.org/3/library/shlex.html#shlex.quote"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://docs.python.org/3/library/subprocess.html#security-considerations"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/OpenHands/OpenHands/pull/13051"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://owasp.org/www-community/attacks/Command_Injection"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "openhands", "vendor": "openhands"}], "analysis": {"en": {"generated_at": "2026-04-10T16:54:01.349641+00:00", "value": {"mitigation_remediation": ["Apply OpenHands 1.5.0 patch or later", "Restrict access to the /api/conversations/{conversation_id}/git/diff endpoint to trusted users only", "If the git diff feature is not required, consider disabling it to reduce the attack surface"], "summary": {"action": "Immediate Patch", "impact": "Command injection allowing arbitrary code execution in the agent sandbox"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the OpenHands product. Any release before version 1.5.0 runs the vulnerable code; version 1.5.0 and later contain the fix and should be deployed. The issue resides in the git diff functionality exposed through the OpenHands API.", "description_and_impact": "The get_git_diff() method in OpenHands copies a path parameter directly into a shell command without proper sanitization. A crafted value sent to the /api/conversations/{conversation_id}/git/diff endpoint enables an authenticated attacker to inject and execute arbitrary operating\u2011system commands, but only with the privileges granted to the agent sandbox.", "risk_and_exploitability": "The CVSS score of 7.6 classifies the flaw as high severity. EPSS indicates a probability of exploitation of less than 1\u202f%, suggesting limited current activity. It is not listed in the CISA KEV catalog, so no documented wild exploitation. Exploitation requires that the attacker authenticate to the API and invoke the git diff endpoint, making it conditional on compromised credentials or inadequate access control."}}}}, "created": "2026-03-27T08:31:15.431005+00:00", "updated": "2026-04-13T14:28:16.459294+00:00", "vendors": ["openhands", "openhands$PRODUCT$openhands"]}