Description
The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.
Published: 2026-06-17
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the shell tool command allowlist of OpenHuman desktop agent up to version 0.54.0. It allows an attacker to bypass the allowed list by using the find flags ‑execdir or ‑okdir, which execute arbitrary commands, and by inserting inline environment‑variable assignments that are stripped before validation. The flaw enables the execution of any OS command with the privileges of the desktop user, leading to data exfiltration, file read/write, and lateral movement on the host machine.

Affected Systems

Vulnerable installations are those running OpenHuman desktop agent versions prior to 0.54.22-staging, including all releases up to 0.54.0 and the interim 0.54.x series. The issue is fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7, first released in 0.54.22-staging and formally mature in 0.56.0. The affected product is the OpenHuman desktop agent from tinyhumansai.

Risk and Exploitability

With a CVSS score of 9.4 the vulnerability exposes a high‑impact remote code execution path. The EPSS score is reported as < 1 %, indicating currently a low probability of exploitation, yet the lack of presence in the CISA KEV catalog does not negate its severity. The likely attack vector is indirect prompt injection from untrusted sources (such as malicious documents, emails, calendar events or web pages) that instruct the agent to run a benign‑looking allowlisted command, triggering the sandbox bypass and resulting in arbitrary command execution.

Generated by OpenCVE AI on June 18, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest OpenHuman desktop agent release (0.56.0 or later) that incorporates the security policy fix for ‑execdir and ‑okdir.
  • Reconfigure the agent to use the updated Supervised security policy and ensure that inline environment variable assignments are no longer stripped before allowlist validation.
  • If an upgrade cannot be performed immediately, restrict the agent’s ingestion of untrusted content—disable or tightly filter emails, documents, calendar events, and web pages—and run the agent process under the least privilege required for its functions.

Generated by OpenCVE AI on June 18, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Tinyhumansai
Tinyhumansai openhuman
Vendors & Products Tinyhumansai
Tinyhumansai openhuman

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.
Title OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution
Weaknesses CWE-184
CWE-78
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Tinyhumansai Openhuman
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-17T15:40:47.796Z

Reserved: 2026-06-17T12:59:17.621Z

Link: CVE-2026-55743

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:26Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')