Description
OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue.
Published: 2026-03-27
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Command injection allowing arbitrary code execution in the agent sandbox
Action: Immediate Patch
AI Analysis

Impact

The get_git_diff() method in OpenHands copies a path parameter directly into a shell command without proper sanitization. A crafted value sent to the /api/conversations/{conversation_id}/git/diff endpoint enables an authenticated attacker to inject and execute arbitrary operating‑system commands, but only with the privileges granted to the agent sandbox.

Affected Systems

This vulnerability affects the OpenHands product. Any release before version 1.5.0 runs the vulnerable code; version 1.5.0 and later contain the fix and should be deployed. The issue resides in the git diff functionality exposed through the OpenHands API.

Risk and Exploitability

The CVSS score of 7.6 classifies the flaw as high severity. EPSS indicates a probability of exploitation of less than 1 %, suggesting limited current activity. It is not listed in the CISA KEV catalog, so no documented wild exploitation. Exploitation requires that the attacker authenticate to the API and invoke the git diff endpoint, making it conditional on compromised credentials or inadequate access control.

Generated by OpenCVE AI on April 10, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply OpenHands 1.5.0 patch or later
  • Restrict access to the /api/conversations/{conversation_id}/git/diff endpoint to trusted users only
  • If the git diff feature is not required, consider disabling it to reduce the attack surface

Generated by OpenCVE AI on April 10, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7h8w-hj9j-8rjw OpenHands is Vulnerable to Command Injection through its Git Diff Handler
History

Fri, 10 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openhands:openhands:*:*:*:*:*:python:*:*

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Openhands
Openhands openhands
Vendors & Products Openhands
Openhands openhands

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The `path` parameter from the `/api/conversations/{conversation_id}/git/diff` API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue.
Title OpenHands is Vulnerable to Command Injection through its Git Diff Handler
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Openhands Openhands
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:04:54.607Z

Reserved: 2026-03-23T17:06:05.749Z

Link: CVE-2026-33718

cve-icon Vulnrichment

Updated: 2026-03-27T20:04:51.082Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T01:16:19.483

Modified: 2026-04-10T15:23:47.010

Link: CVE-2026-33718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:16Z

Weaknesses