Intel

AIKIDO-2026-157592

openhands-agent-server is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource Consumption Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

35

Low Risk

This Affects:

PYTHONopenhands-agent-server
1.0.0 - 1.22.0
Fixed in 1.22.1
Are you affected? Scan for Free

TL;DR

The agent server registers every WebSocket client that connects to a conversation's event or bash-event stream as a PubSub subscriber with no upper limit. A client that can reach these WebSocket endpoints can open many concurrent connections to the same conversation, each adding a subscriber that receives every published event. The unbounded subscriber set lets a single conversation accumulate connections and event fan-out work until the server exhausts memory and processing capacity. The fix caps the per-conversation subscriber count and rejects additional connections by closing them with WebSocket code 1013.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and expose the conversation or bash-event WebSocket endpoints to clients that can open many concurrent connections (unauthenticated when session API keys are not configured, or authenticated when they are).

Background info

openhands-agent-server is vulnerable to Uncontrolled Resource Consumption in versions 1.0.0 - 1.22.0.

How to fix this

Upgrade the openhands-agent-server library to the patch version.