CRITICAL
tinyhumansai
CVE published 2026-06-17
CVE-2026-55743
The OpenHuman desktop agent, through version 0.54.0, contains a critical vulnerability (CVE-2026-55743) that allows attackers to bypass the shell tool command allowlist in the SecurityPolicy, enabling the execution of arbitrary OS commands with the privileges of the desktop user. This is achieved through two combined flaws in the src/openhuman/security/policy.rs file. The vulnerability can be exploited vi [truncated]