PYSEC-2026-106

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/openhands-ai/PYSEC-2026-106.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-106
Aliases
Published
2026-03-27T01:16:19.483Z
Modified
2026-05-20T09:19:10.385090Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the get_git_diff() method at openhands/runtime/utils/git_handler.py:134. The path parameter from the /api/conversations/{conversation_id}/git/diff API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels. Version 1.5.0 fixes the issue.

References

Affected packages

PyPI / openhands-ai

Package

Name
openhands-ai
View open source insights on deps.dev
Purl
pkg:pypi/openhands-ai

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.0

Affected versions

0.*
0.8.3
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.10.0
0.11.0
0.12.0
0.12.2
0.12.3
0.13.0
0.13.1
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.1
0.15.2
0.15.3
0.16.0
0.16.1
0.17.0
0.18.0
0.19.0
0.20.0
0.21.0
0.22.0
0.23.0
0.24.0
0.25.0
0.26.0
0.27.0
0.28.0
0.28.1
0.29.0
0.29.1
0.30.0
0.30.1
0.31.0
0.32.0
0.33.0
0.34.0
0.35.0
0.35.2
0.36.0
0.36.1
0.37.0
0.38.0
0.39.0
0.39.1
0.39.2
0.40.0
0.41.0
0.42.0
0.43.0
0.44.0
0.45.0
0.46.0
0.47.0
0.48.0
0.49.0
0.49.1
0.50.0
0.51.0
0.51.1
0.52.0
0.52.1
0.53.0
0.54.0
0.55.0
0.56.0
0.57.0
0.57.2
0.58.0
0.59.0
0.60.0
0.61.0
0.62.0
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0

Database specific

source 
"https://github.com/pypa/advisory-database/blob/main/vulns/openhands-ai/PYSEC-2026-106.yaml"