CVE-2026-33718: OpenHands is Vulnerable to Command Injection through its Git Diff Handler
(updated )
A Command Injection vulnerability exists in the get_git_diff() method at openhands/runtime/utils/git_handler.py:134. The path parameter from the /api/conversations/{conversation_id}/git/diff API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels.
References
- docs.python.org/3/library/shlex.html
- docs.python.org/3/library/subprocess.html
- github.com/OpenHands/OpenHands
- github.com/OpenHands/OpenHands/pull/13051
- github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw
- github.com/advisories/GHSA-7h8w-hj9j-8rjw
- nvd.nist.gov/vuln/detail/CVE-2026-33718
- owasp.org/www-community/attacks/Command_Injection
Code Behaviors & Features
Detect and mitigate CVE-2026-33718 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →