{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-55743", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-06-17T12:59:17.621Z", "datePublished": "2026-06-17T14:08:33.726Z", "dateUpdated": "2026-06-17T15:40:47.796Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-17T14:08:33.726Z"}, "title": "OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-184", "description": "CWE-184 Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "affected": [{"vendor": "tinyhumansai", "product": "OpenHuman", "platforms": ["macOS", "Windows", "Linux"], "collectionURL": "https://github.com/tinyhumansai/openhuman", "repo": "https://github.com/tinyhumansai/openhuman", "programFiles": ["src/openhuman/security/policy.rs"], "programRoutines": [{"name": "is_args_safe"}, {"name": "skip_env_assignments"}], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "0.54.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The shell tool command allowlist in the <code>SecurityPolicy</code> of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in <code>src/openhuman/security/policy.rs</code> combine: (1) <code>is_args_safe()</code> blocks the <code>find</code> flags <code>-exec</code> and <code>-ok</code> but not the functionally identical <code>-execdir</code> and <code>-okdir</code>, which also execute an arbitrary command for each matched file; and (2) <code>skip_env_assignments()</code> strips leading inline <code>KEY=value</code> environment-variable assignments before allowlist validation, so a command such as <code>GIT_EXTERNAL_DIFF=&lt;cmd&gt; git diff</code> is validated as the allowed <code>git diff</code> but, when executed via the shell, runs <code>&lt;cmd&gt;</code> through git's environment-driven hooks (for example <code>GIT_EXTERNAL_DIFF</code> or <code>GIT_SSH_COMMAND</code>). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit <code>60050aa09a870f53ed7e4cd40ed41fd2860329e7</code> (first released in 0.54.22-staging; first stable release 0.56.0), which blocks <code>-execdir</code>/<code>-okdir</code> for <code>find</code>.</p>"}]}], "references": [{"url": "https://github.com/tinyhumansai/openhuman/commit/60050aa09a870f53ed7e4cd40ed41fd2860329e7", "name": "Fix commit (PR #2636): block find -execdir/-okdir", "tags": ["patch"]}, {"url": "https://github.com/tinyhumansai/openhuman/blob/v0.53.49-staging/src/openhuman/security/policy.rs", "name": "Vulnerable source at v0.53.49-staging: src/openhuman/security/policy.rs", "tags": ["technical-description"]}, {"url": "https://github.com/tinyhumansai/openhuman", "tags": ["product"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.4, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Bobur Abdugafforov", "type": "finder"}, {"lang": "en", "value": "Zikrillayev Salohiddin", "type": "analyst"}], "source": {"discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T15:40:33.751475Z", "id": "CVE-2026-55743", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T15:40:47.796Z"}}]}}

{}

{}

{}

{}