Impact
The vulnerability resides in the shell tool command allowlist of OpenHuman desktop agent up to version 0.54.0. It allows an attacker to bypass the allowed list by using the find flags ‑execdir or ‑okdir, which execute arbitrary commands, and by inserting inline environment‑variable assignments that are stripped before validation. The flaw enables the execution of any OS command with the privileges of the desktop user, leading to data exfiltration, file read/write, and lateral movement on the host machine.
Affected Systems
Vulnerable installations are those running OpenHuman desktop agent versions prior to 0.54.22-staging, including all releases up to 0.54.0 and the interim 0.54.x series. The issue is fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7, first released in 0.54.22-staging and formally mature in 0.56.0. The affected product is the OpenHuman desktop agent from tinyhumansai.
Risk and Exploitability
With a CVSS score of 9.4 the vulnerability exposes a high‑impact remote code execution path. The EPSS score is reported as < 1 %, indicating currently a low probability of exploitation, yet the lack of presence in the CISA KEV catalog does not negate its severity. The likely attack vector is indirect prompt injection from untrusted sources (such as malicious documents, emails, calendar events or web pages) that instruct the agent to run a benign‑looking allowlisted command, triggering the sandbox bypass and resulting in arbitrary command execution.
OpenCVE Enrichment