OpenHands 6.7/10 Good · T2
bestaiq
// CODE

OpenHands Review (2026): The Open-Source Coding Agent, Reviewed on Cost, Benchmarks and Security

6.7/10
Good · T2

OpenHands is a capable, actively developed open-source AI coding agent that is genuinely free to self-host, but its highest-profile benchmark number is self-reported and its security-disclosure history includes a documented slow response to serious vulnerability reports.

SUB-SCORE SPINE
7.5
CAP
8.0
VAL
6.0
EAS
5.5
PRI
6.5
SUP
7.5
ECO
Independent · ad-free verdicts · we may earn affiliate commissions — this never affects our scores.
FIG · QUICK ANSWER

OpenHands, formerly known as OpenDevin, is an open-source AI coding agent built by All Hands AI. It started in March 2024 as a community reaction to Cognition's Devin, adopted the MIT license, and has since grown into a project with over 80,000 GitHub stars. It can be self-hosted for free, used through a capped free cloud tier, or licensed as an Enterprise product with custom pricing. This review looks at what it costs, what its benchmark claims do and do not show, and what its security track record looks like.

TABLE · AT A GLANCE
Category AI coding agent, open source [liveFacts] ✓Jul'2026
Pricing Free to self-host (MIT license); free Cloud Individual tier capped at 10 conversations/day; custom Enterprise pricing [liveFacts] ✓Jul'2026
Deployment Self-hosted, hosted Cloud SaaS, or Enterprise (SaaS or self-hosted in your own VPC) [liveFacts] ✓Jul'2026
License MIT for the core codebase; a separate license applies to the enterprise/ directory [liveFacts] ✓Jul'2026
Community size 80.4k GitHub stars and 10.3k forks as of July 2026 [liveFacts] ✓Jul'2026
Funding $23.8M total raised, including an $18.8M Series A led by Madrona in November 2025 [liveFacts] ✓Jul'2026

//Strengths & things to watch

STRENGTHS
  • The core agent is fully open source under the MIT license, with no per-seat licensing cost for self-hosting.
  • Self-hosted use with your own LLM key keeps code off OpenHands' own servers; only your chosen LLM provider sees your prompts and code.
  • Supports multiple LLM providers rather than locking users into one model.
  • Enterprise deployment can run entirely inside a customer's own VPC via Kubernetes, which matters for teams with data-residency requirements.
  • Active, large open-source community with over 80,000 GitHub stars as of mid-2026.
THINGS TO WATCH
  • The widely cited 72.8% SWE-Bench Verified score comes from OpenHands' own paper about its own SDK, tested with Claude Sonnet 4.5; it has not been independently reproduced, and third-party reviews report meaningfully lower scores, around 53%, with other model pairings.
  • An independent security researcher reported two prompt-injection vulnerabilities in March 2025, including one that could exfiltrate secrets with no user interaction; the researcher states roughly 148 days passed with no substantive response before the findings were published in August 2025.
  • A confirmed command-injection vulnerability, CVE-2026-33718, affected all versions up to 1.4.0 and was fixed in 1.5.0, though the same flaw was scored 7.6 (High) by GitHub and 9.9 (Critical) by NVD and OSV, so severity assessments differ by source.
  • Self-hosting is not turnkey: running your own Docker infrastructure and managing LLM API costs takes real ongoing effort.
  • No SOC 2, ISO 27001, HIPAA, or similar third-party compliance certification could be found on OpenHands' public pricing, enterprise, or privacy pages.
  • Enterprise pricing is not published and requires contacting sales.

//How it works

  1. 01
    Choose a deployment mode

    Run the MIT-licensed core locally with your own LLM API key, sign up for the free OpenHands Cloud tier, or arrange an Enterprise deployment as SaaS or self-hosted in your own VPC.

  2. 02
    Agent actions as executable code

    OpenHands uses the CodeAct approach, representing the agent's actions as Python or bash code executed inside a sandboxed Docker container instead of JSON tool calls.

  3. 03
    Tool access

    The agent can run terminal commands, execute Python via IPython, browse the web with a Playwright-based browser tool, and edit files directly inside the sandbox.

  4. 04
    Review and confirm

    The Agent SDK tags proposed actions with a risk level, low, medium, high, or unknown, and can require human confirmation before executing risky actions, depending on the configured policy.

FIG · SCORE BREAKDOWN
CapabilityCAP
0.30WEIGHT
7.5
ValueVAL
0.20WEIGHT
8.0
Ease of useEAS
0.15WEIGHT
6.0
PrivacyPRI
0.15WEIGHT
5.5
SupportSUP
0.10WEIGHT
6.5
EcosystemECO
0.10WEIGHT
7.5

EDITORIAL NOTEApplied a -0.3 override to reflect a documented pattern the weighted average understates: a security researcher's roughly 148-day wait before two significant prompt-injection vulnerabilities reached public disclosure, plus a separately confirmed critical-severity command-injection CVE, both weighing on overall trust posture.

SCORING PIPELINE — SHOW THE WORK
SOURCES
42
SUB-SCORES
6 DIMS
WEIGHTED
Σ=1.0
EDITORIAL
+OVERRIDE
VERDICT
6.7/10

//Who it's for

CHOOSE OPENHANDS IF…
  • Developers or teams that want an open-source coding agent they can self-host without per-seat fees and are comfortable supplying their own LLM API key.
  • Organizations that need code and conversations to stay inside their own VPC and can use the Enterprise self-hosted option.
  • Teams already comfortable managing Docker infrastructure who want full control over their agent deployment.
LOOK ELSEWHERE IF…
  • Teams that want a fully managed product with no self-hosting or Docker management at all.
  • Teams that require a published SOC 2, ISO 27001, or HIPAA certification today, since none could be confirmed as public.
  • Teams that need a guaranteed vendor response time for security reports; a documented case shows roughly 148 days passed before disclosure of two significant vulnerabilities.
TABLE · HOW IT COMPARES
ToolScoreTierFromFreeLink
OpenHandsTHIS TOOL 6.7 Good · T2 $0/mo [liveFacts] Yes
Playwright 8.4 EXCELLENT · T1 $0/mo [liveFacts] Yes Review →
Claude Code 7.9 GREAT · T2 $17/mo [liveFacts] No Review →
GitHub Copilot 7.8 GREAT · T2 $0/mo [liveFacts] Yes Review →

//What users say

AI synthesis of external reviews · not on bestaiq

Hacker News
POSITIVE1 source
[S]
Blogs
MIXED1 source
[S]
Blogs
MIXED1 source
[S]
Blogs
MIXED1 source
[S]
◆ AI SUMMARY

Synthesized from 5 external reviews. Independent signal (Trustpilot / Reddit / verified aggregators) weighted higher than commission-carrying review sites.

MOST PRAISED
  • Full autonomous read-code-test-PR loop without hand-holding
  • MIT license with no vendor lock-in and bring-your-own-model support
  • Docker-based sandbox isolation and browser tool access called out favorably versus some competitors
  • Large, active GitHub community (80.4k+ stars as of July 2026)
MOST CRITICIZED
  • Struggles with ambiguous requirements and can get stuck repeating a failing approach
  • Self-hosting requires real Docker/infrastructure and API-cost management
  • Lacked native MCP support as of April 2026 per one review
  • Community support carries no SLA
  • Enterprise pricing and feature specifics are not published
TAKEAWAYBest suited to teams willing to self-host or manage their own LLM costs in exchange for zero core licensing fees and full code/data control

//Frequently asked

Q1

Is OpenHands free to use?

The core OpenHands agent is open source under the MIT license and free to self-host, though you supply your own LLM API key. OpenHands Cloud also offers a free individual tier capped at 10 conversations per day. Enterprise deployment pricing is custom and not published.

Q2

How is OpenHands different from Devin?

OpenHands began in March 2024 as an open-source project originally named OpenDevin, described by its creators as an homage to Cognition's Devin. Unlike Devin, a closed commercial product, OpenHands' core is MIT licensed and can be self-hosted, with model-agnostic support for bringing your own LLM.

Q3

What SWE-bench score does OpenHands achieve?

OpenHands' own paper for its Software Agent SDK reports a 72.8% resolve rate on SWE-Bench Verified when paired with Claude Sonnet 4.5 with extended thinking enabled. That figure is self-reported by the OpenHands team, not independently replicated, and third-party reviews report lower figures, around 53%, when OpenHands is paired with other models, so any single percentage depends heavily on the underlying model.

Q4

Has OpenHands had any security vulnerabilities?

Yes. A confirmed command-injection vulnerability, tracked as CVE-2026-33718 and GHSA-7h8w-hj9j-8rjw, affected versions up to 1.4.0 and was fixed in 1.5.0. Separately, an independent security researcher reported two prompt-injection issues in March 2025, one allowing zero-click data exfiltration through rendered images and one allowing remote code execution; the researcher's writeup describes roughly 148 days passing before publishing the findings publicly in August 2025.

Q5

Does OpenHands train on my code?

It depends on the deployment mode. Self-hosted use with your own LLM key does not send data to OpenHands' own servers, though your prompts and code do go to whichever LLM provider you configure. On OpenHands Cloud, the privacy policy states that submitted content, including prompts and code, may be used to train and tune OpenHands' AI models. Enterprise deployments are marketed as keeping code and conversations inside the customer's own infrastructure.

Q6

Who is behind OpenHands?

OpenHands is developed by All Hands AI, a company founded in July 2024 by Robert Brennan, Xingyao Wang, and Graham Neubig to steward the open-source project after it launched as OpenDevin in March 2024. The company has raised a $5 million seed round led by Menlo Ventures and an $18.8 million Series A led by Madrona.

BOTTOM LINE
OpenHands

OpenHands is a legitimate, actively maintained open-source alternative to closed commercial coding agents, with real cost advantages for teams willing to self-host or manage their own infrastructure. Its most-quoted benchmark figure is self-reported, and its security-disclosure history includes a notably slow response to two serious vulnerability reports, so treat both the performance claims and the security posture as items to verify against current, primary sources before relying on them for a production deployment.

Good · T2 6.7/10

//Related tools

//Featured in

42 sources· Last verified Jul 2026 ✓ VERIFIED