CVE Catalog

CVE-2026-55743

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Summary

In the OpenHuman desktop agent tool up to version 0.54.0, the command allowlist can be bypassed, allowing arbitrary OS commands to be executed with the privileges of the desktop user. Two flaws in the code enable an attacker to achieve remote code execution through prompt injection.

Risk Assessment

The organization is at risk of remote code execution, which can lead to data exfiltration, unauthorized file access, and lateral movement within the user's system. An attacker can exploit malicious documents or messages to execute harmful commands.

Recommendation

It is recommended to update the OpenHuman desktop agent to version 0.56.0 or later to block the use of -execdir and -okdir flags. A security audit of systems should also be conducted to minimize the risk associated with this vulnerability.

Original NVD description (English source)

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS