How is CVE-2026-55743 exploited?

Network reachability (required): The attack path requires the agent to ingest content from an attacker-controlled network source (document, email, calendar event, or web page), so the agent must be reachable to or reachable from external network content. Authentication (not-required): No credentials or account on the target system are required; the attacker delivers the payload passively through content the agent fetches or processes. Victim interaction (required): The desktop user must take an action that causes the agent to ingest attacker-controlled content, such as opening a document, loading an email, or visiting a web page that carries the prompt-injection payload. Attack complexity (info): Exploitation is reliable and condition-free once the agent processes the malicious content; no race conditions, memory-layout dependencies, or special environmental factors are needed.

What is the impact of CVE-2026-55743?

Reads arbitrary files on the host filesystem, including credentials, private keys, browser session tokens, and personal documents accessible to the desktop user. Writes or overwrites arbitrary files on the host filesystem, enabling persistence mechanisms or corruption of user data. Executes arbitrary OS commands with desktop-user privileges, allowing installation of malware or other attacker tooling. Enables lateral movement from the compromised workstation to other systems reachable on the same network using credentials or keys harvested from the host.

Back to search

CRITICALCVE-2026-55743Published 2026-06-17Modified 2026-06-17CNA TuranSec

CVE-2026-55743: OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A sandbox bypass vulnerability in the OpenHuman desktop agent (versions through 0.54.0) allows an attacker to execute arbitrary operating system commands with the privileges of the logged-in desktop user. The vulnerability is reachable over the network via indirect prompt injection: malicious content in a document, email, calendar event, or web page ingested by the agent can instruct it to run a crafted allowlisted command that bypasses the shell tool sandbox. Successful exploitation gives an attacker full remote code execution on the host, including data exfiltration, arbitrary file read/write, and lateral movement. No stable fix version has been published at the time of this record; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-55743 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle the OpenHuman agent binary. Any image containing an affected version of the tinyhumansai/OpenHuman package is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS v4.0 9.4 (Critical) and weights findings against each customer environment's configured compliance policy, escalating to the appropriate team inbox based on severity thresholds and asset classification. Per-environment policy weighting ensures that images running the OpenHuman agent in sensitive or internet-facing contexts are surfaced with the highest urgency.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a stable upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy and egress-filtering recommendations to limit the agent's ability to reach untrusted external content that could carry a prompt-injection payload.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attack path requires the agent to ingest content from an attacker-controlled network source (document, email, calendar event, or web page), so the agent must be reachable to or reachable from external network content.
AuthenticationNot required
No credentials or account on the target system are required; the attacker delivers the payload passively through content the agent fetches or processes.
Victim interactionRequired
The desktop user must take an action that causes the agent to ingest attacker-controlled content, such as opening a document, loading an email, or visiting a web page that carries the prompt-injection payload.
Attack complexityDetail
Exploitation is reliable and condition-free once the agent processes the malicious content; no race conditions, memory-layout dependencies, or special environmental factors are needed.

Blast Radius

Reads arbitrary files on the host filesystem, including credentials, private keys, browser session tokens, and personal documents accessible to the desktop user.
Writes or overwrites arbitrary files on the host filesystem, enabling persistence mechanisms or corruption of user data.
Executes arbitrary OS commands with desktop-user privileges, allowing installation of malware or other attacker tooling.
Enables lateral movement from the compromised workstation to other systems reachable on the same network using credentials or keys harvested from the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-55743 is active and images containing OpenHuman at or below version 0.54.0 will be flagged as Critical on the next scan cycle. Because no stable upstream fix exists at the time of this record, no patched-image rebuild is yet available. HarborGuard re-checks the upstream advisory on every ingest cycle; the moment tinyhumansai publishes a fix, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and a PR opened against affected workloads without manual intervention. While awaiting the upstream fix, customers should consider applying compensating controls: use network policy or egress filtering to restrict the OpenHuman agent's access to untrusted external content sources, apply feature-flag gating to disable shell-tool execution in the agent's security policy if the deployment does not require it, and restrict the container's runtime user to the least privilege needed. For customers whose compliance policy requires a manual review gate, HarborGuard will route the finding to the configured security inbox with full CVSS context and remediation guidance as soon as a fix version is available.

See how HarborGuard automates this

Affected packages

tinyhumansai / OpenHuman
≤ 0.54.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified