OpenHands AI Dev Tool Hit with Command Injection Flaw
CVE Notify is flagging a critical command injection vulnerability in OpenHands, an AI-driven development software. The issue, discovered in versions prior to 1.5.0, resides within the get_git_diff() method in openhands/runtime/utils/git_handler.py. According to CVE Notify, the path parameter, which is part of the /api/conversations/{conversation_id}/git/diff API endpoint, is not properly sanitized before being passed to a shell command.
This oversight allows authenticated attackers to inject and execute arbitrary commands directly within the agent’s sandbox environment. While users can already instruct the agent to run commands, this vulnerability bypasses those standard controls, potentially leading to a full system compromise. OpenHands version 1.5.0 has been released to patch this significant security gap.
What This Means For You
- Organizations using OpenHands should immediately update to version 1.5.0 or later. If an immediate update isn't feasible, review access controls and logging for the `/api/conversations/{conversation_id}/git/diff` endpoint to detect anomalous command execution patterns.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33718 | Command Injection | OpenHands version 1.5.0, vulnerable method: get_git_diff() in openhands/runtime/utils/git_handler.py:134, vulnerable endpoint: /api/conversations/{conversation_id}/git/diff, vulnerable parameter: path |
| CVE-2026-33718 | Auth Bypass | OpenHands version 1.5.0, vulnerability in get_git_diff() method allows bypassing normal command execution channels. |