External risk intelligence

OpenHuman Desktop Agent Command Allowlist Bypass Leads to Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-55743

A vulnerability in the OpenHuman desktop agent allows bypassing its command allowlist to execute arbitrary OS commands with user privileges. This can occur when the agent processes malicious content, leading to potential remote code execution, data exfiltration, and system compromise. Confirmation of the agent's presen

OS Command Injection

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

The vulnerability exists in a desktop agent application intended for local end-user execution. While the agent processes external content, it operates as a client-side tool on a user's machine rather than as a public-facing network service, appliance, or infrastructure component. It lacks a persistent public internet listener or externally reachable management interface.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the OpenHuman desktop agent that could allow attackers to execute arbitrary operating system commands with user privileges. This could enable unauthorized access to sensitive data or allow for further compromise of the user's machine. The primary concern at this time is to confirm the relevance and exposure of this vulnerability to our environment.

  • Code flaws enable command execution.
  • Executive concern: potential system compromise.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by tricking the OpenHuman desktop agent into executing arbitrary operating system commands. This is achieved through indirect prompt injection, where malicious content like a document or email prompts the agent to run what appears to be a harmless, allowlisted command. However, due to flaws in how the agent validates commands and handles environment variables, the command is executed with the user's privileges, leading to potential code execution and data compromise.

  • Requires user to interact with malicious content.
  • Triggers by processing specially crafted input.
  • Risk of arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary operating system commands with the privileges of the logged-in user. This could occur when the desktop agent processes malicious content from untrusted sources, such as documents, emails, or web pages. The agent might be tricked into running a seemingly harmless, allowlisted command that, due to flaws in its security policy, actually executes attacker-provided code.

  • User's machine, data, and services.
  • Indirect prompt injection via malicious content.
  • Remote code execution and data exfiltration.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the OpenHuman desktop agent, likely putting responsibility on application owners and end-users for its containment. The first practical step is to identify all instances of the agent, confirm exposure to potentially malicious content, and understand which users or systems are most at risk before planning remediation.

  • Identify accountable application owners.
  • Verify agent exposure to untrusted content.
  • Plan remediation based on user risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-55743 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote code execution and could impact systems that process or store cardholder data, making it relevant to PCI scanning.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the OpenHuman desktop agent?

OpenHuman is a local desktop software agent designed to interface with LLMs. It assists users by automating tasks and processing content from various sources, such as emails, calendar events, documents, and web pages, directly on their personal machines.

How does CVE-2026-55743 work?

This vulnerability is an OS Command Injection (CWE-78) combined with Incomplete List of Disallowed Inputs (CWE-184). The agent's security policy fails to block specific unsafe command flags and incorrectly strips environment variables during validation. These flaws allow an attacker to bypass the command allowlist and force the agent to execute unauthorized OS commands with the permissions of the logged-in user.

Do I need to be directly attacked for this to trigger?

No. The trigger is indirect. An attacker does not need to log in or send direct requests. Instead, they provide malicious content—like a seemingly benign email or document—that the agent processes. The bug is not triggered by standard, safe interactions, but specifically when the agent encounters input that tricks it into running a malicious version of an allowlisted command.

Is my machine at risk per Halo Surface Signal?

Halo Surface Signal assesses this as very unlikely to be exposed via external network scanning. Because OpenHuman is a client-side tool and not a public-facing service or infrastructure component, it lacks the persistent network listeners that attackers typically scan for. The primary risk is local execution triggered by the user interacting with untrusted content.

What is the first step to address this?

Start by identifying all systems running the OpenHuman desktop agent. Once you have a list of installations, prioritize verifying which users frequently process content from untrusted or external sources, as these are the most likely vectors for exploitation. Use this information to coordinate updates once a secure version is available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished