CVE-2026-55743 (GCVE-0-2026-55743)

Vulnerability from cvelistv5 – Published: 2026-06-17 14:08 – Updated: 2026-06-17 15:40
VLAI
Title
OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution
Summary
The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.
Severity
9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.4 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
Impacted products
Vendor Product Version
tinyhumansai OpenHuman Affected: 0 , ≤ 0.54.0 (semver)
Create a notification for this product.
Credits
Bobur Abdugafforov Zikrillayev Salohiddin
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55743",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T15:40:33.751475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T15:40:47.796Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/tinyhumansai/openhuman",
          "defaultStatus": "unaffected",
          "platforms": [
            "macOS",
            "Windows",
            "Linux"
          ],
          "product": "OpenHuman",
          "programFiles": [
            "src/openhuman/security/policy.rs"
          ],
          "programRoutines": [
            {
              "name": "is_args_safe"
            },
            {
              "name": "skip_env_assignments"
            }
          ],
          "repo": "https://github.com/tinyhumansai/openhuman",
          "vendor": "tinyhumansai",
          "versions": [
            {
              "lessThanOrEqual": "0.54.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bobur Abdugafforov"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Zikrillayev Salohiddin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe shell tool command allowlist in the \u003ccode\u003eSecurityPolicy\u003c/code\u003e of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in \u003ccode\u003esrc/openhuman/security/policy.rs\u003c/code\u003e combine: (1) \u003ccode\u003eis_args_safe()\u003c/code\u003e blocks the \u003ccode\u003efind\u003c/code\u003e flags \u003ccode\u003e-exec\u003c/code\u003e and \u003ccode\u003e-ok\u003c/code\u003e but not the functionally identical \u003ccode\u003e-execdir\u003c/code\u003e and \u003ccode\u003e-okdir\u003c/code\u003e, which also execute an arbitrary command for each matched file; and (2) \u003ccode\u003eskip_env_assignments()\u003c/code\u003e strips leading inline \u003ccode\u003eKEY=value\u003c/code\u003e environment-variable assignments before allowlist validation, so a command such as \u003ccode\u003eGIT_EXTERNAL_DIFF=\u0026lt;cmd\u0026gt; git diff\u003c/code\u003e is validated as the allowed \u003ccode\u003egit diff\u003c/code\u003e but, when executed via the shell, runs \u003ccode\u003e\u0026lt;cmd\u0026gt;\u003c/code\u003e through git\u0027s environment-driven hooks (for example \u003ccode\u003eGIT_EXTERNAL_DIFF\u003c/code\u003e or \u003ccode\u003eGIT_SSH_COMMAND\u003c/code\u003e). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user\u0027s machine. The issue was fixed in commit \u003ccode\u003e60050aa09a870f53ed7e4cd40ed41fd2860329e7\u003c/code\u003e (first released in 0.54.22-staging; first stable release 0.56.0), which blocks \u003ccode\u003e-execdir\u003c/code\u003e/\u003ccode\u003e-okdir\u003c/code\u003e for \u003ccode\u003efind\u003c/code\u003e.\u003c/p\u003e"
            }
          ],
          "value": "The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=\u003ccmd\u003e git diff is validated as the allowed git diff but, when executed via the shell, runs \u003ccmd\u003e through git\u0027s environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user\u0027s machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184 Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T14:08:33.726Z",
        "orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
        "shortName": "TuranSec"
      },
      "references": [
        {
          "name": "Fix commit (PR #2636): block find -execdir/-okdir",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/tinyhumansai/openhuman/commit/60050aa09a870f53ed7e4cd40ed41fd2860329e7"
        },
        {
          "name": "Vulnerable source at v0.53.49-staging: src/openhuman/security/policy.rs",
          "tags": [
            "technical-description"
          ],
          "url": "https://github.com/tinyhumansai/openhuman/blob/v0.53.49-staging/src/openhuman/security/policy.rs"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/tinyhumansai/openhuman"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
    "assignerShortName": "TuranSec",
    "cveId": "CVE-2026-55743",
    "datePublished": "2026-06-17T14:08:33.726Z",
    "dateReserved": "2026-06-17T12:59:17.621Z",
    "dateUpdated": "2026-06-17T15:40:47.796Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.