OpenHands
Every signal accepted for OpenHands. Each links to the run that produced it. The OpenHands profile carries the current evergreen state.
June 2026
-
Upgrade frontend deps (axios 1.16.0, dompurify 3.4.0) to close CVE-2026-44492 and CVE-2026-41238
- Two browser-facing frontend dependencies were patched in the window: axios to 1.16.0 (CVE-2026-44492, commit 73d1d9a) and dompurify to 3.4.0 (CVE-2026-41238, commit b025cd2). Two commits, one operator action: rebuild and redeploy the frontend bundle.
- Self-hosters pinning older lockfiles must bump both manually; a stale frontend build leaves both CVEs live.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
Upgrade dulwich to 1.2.5 to close CVE-2026-42305 in git operations
- Operator must re-resolve poetry.lock (enterprise and root) and rebuild backend images to ship patched dulwich; git operations run inside the agent runtime path.
- Distinct from the frontend CVEs: this is a backend Python git library, different surface and different verification (lockfile pin, not frontend bundle).
- Verification path: confirm dulwich>=1.2.5 in deployed poetry.lock / installed environment.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
ACP provider credentials now route through cipher-protected agent_context.secrets, not acp_env
- Operators running ACP agents must understand provider API keys/base URLs now flow through the cipher-protected secrets channel; the deprecated acp_env channel no longer carries credentials.
- Changes the persistence and exposure surface for agent provider credentials, with SDK gap-fill logic specifically preventing re-folding into the insecure acp_env channel.
- Verification path: confirm ACP provider creds appear via agent_context.secrets and are absent from acp_env in agent context.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
DELETE /api/organizations now cascade-deletes the sole-org requester (personal org)
- Operators must understand that deleting a personal org now also deletes the requesting user account, enabling re-onboarding on next login — a destructive identity-state change behind one endpoint.
- Changes operating-state semantics of an existing destructive API: requires backup discipline before org deletion; multi-org members are protected by preflight orphan detection.
- Verification path: test DELETE /api/organizations against a sole-org account vs a multi-org member and confirm orphan-rejection behavior.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
May 2026
-
OpenHands becomes the GUI shell for other harnesses, with org-level LLM profiles
composes with Claude Code , Codex , Gemini CLI
- Evaluators of OpenHands as a multi-agent shell: enable `ENABLE_ACP` against your preferred ACP back-end (Claude Code, Codex, Gemini CLI) and test the policy surface — the greyed-out settings while ACP is active are intentional.
- Multi-tenant SaaS operators must confirm they are on 2026-05-22+ to get the MCP/ACP env scoping fix. Audit MCP credentials that may have been shared across org members pre-fix.
- Enterprise admins should treat the org-level LLM profile model as the canonical place to set 'this org uses these models' policy.
- Operators on the release channel need to know none of this is in a tagged 1.x release yet — main-branch only.
Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0
-
Sub-agent delegation (opt-in) and critic evaluation GUI
- Operators running multi-task sessions can now enable sub-agent delegation via `enable_sub_agents`. Built-in sub-agents (bash-runner, code-explorer, general-purpose, web-researcher) handle scoped tasks with restricted tool surfaces. Default is off -- enable deliberately.
- Operators should configure `CRITIC_API_KEY` to route critic evaluation spend separately from the primary model key if centralized cost control matters.
- The critic display is deployment-controlled via `OH_ENABLE_CRITIC_BY_DEFAULT` (disabled by default). Deployments that want it enabled should set that flag; per-deployment toggle is `verification.critic_enabled`.
Run: 2026-05-12-partial-cycle-openhands-2026-05-07_2026-05-12-frontier-v0
-
Real computers are becoming the agent work surface.
-
Agent harnesses are becoming full development platforms.
-
Accessibility is becoming a frontier capability.
-
Bitter needs a wrap, adapt, refuse decision for every frontier surface.
-
The agent interface is becoming a visible computer
- A serious agent harness increasingly needs browser, desktop, file, runtime, sandbox, and artifact surfaces that can be inspected.
Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1
-
Permissions, secrets, and sandboxes are moving into the foreground
- The harness must make trust state visible: what can be read, what can be changed, which credentials are exposed, and where execution happens.
Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1
-
Accessibility is a frontier capability, not marketing polish
- Everyday adoption depends on setup recovery, visible progress, voice/chat surfaces, readable UI, OAuth clarity, and fewer dead ends.
Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1
-
Agent systems are growing control planes
- Once agents coordinate across tasks, runtimes, gateways, and integrations, operators need liveness, cost, role, session, and recovery controls.
Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1
-
Integrations are volatile; the operating loop has to be durable
- Provider lists, plugin systems, transports, and model profiles will keep changing.
Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1