PatchSiren cyber security CVE debrief

CVE-2026-55743 tinyhumansai CVE debrief

The OpenHuman desktop agent, through version 0.54.0, contains a critical vulnerability (CVE-2026-55743) that allows attackers to bypass the shell tool command allowlist in the SecurityPolicy, enabling the execution of arbitrary OS commands with the privileges of the desktop user. This is achieved through two combined flaws in the src/openhuman/security/policy.rs file. The vulnerability can be exploited via indirect prompt injection, where a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7, first released in version 0.54.22-staging and first stable release 0.56.0.

Vendor: tinyhumansai
Product: OpenHuman
CVSS: CRITICAL 9.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-17
Original CVE updated: 2026-06-17
Advisory published: 2026-06-17
Advisory updated: 2026-06-17

Who should care

Users of OpenHuman desktop agent versions up to 0.54.0 should be aware of this critical vulnerability and take immediate action to update to a patched version. Security teams and administrators responsible for managing OpenHuman deployments should prioritize patching to prevent potential exploitation.

Technical summary

The vulnerability (CVE-2026-55743) arises from two flaws in the src/openhuman/security/policy.rs file of the OpenHuman desktop agent. Firstly, the is_args_safe() function blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file. Secondly, skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, allowing a command such as GIT_EXTERNAL_DIFF=<cmd> git diff to be validated as the allowed git diff but execute <cmd> through git's environment-driven hooks. This enables attackers to achieve remote code execution via indirect prompt injection.

Defensive priority

Critical

Recommended defensive actions

Update OpenHuman desktop agent to version 0.56.0 or later.
Restrict access to sensitive documents, emails, calendar events, and web pages.
Implement additional security measures to detect and prevent indirect prompt injection attacks.
Monitor OpenHuman desktop agent logs for suspicious activity.
Consider implementing a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
Conduct regular security audits and vulnerability assessments.
Keep all dependencies and libraries up-to-date.

Evidence notes

The information provided is based on the CVE-2026-55743 record and the OpenHuman GitHub repository. The vulnerability was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7. The CVE record and NVD detail pages provide additional information on the vulnerability.

Official resources

CVE-2026-55743 CVE record
CVE.org
CVE-2026-55743 NVD detail
NVD
Source item URL
nvd_modified
Source reference
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Source reference
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Source reference
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

CVE-2026-55743 was published on 2026-06-17T15:17:02.337Z and modified on 2026-06-17T17:17:27.580Z.