Skip to main content

Openharness CVE-2026-22682

| EUVDEUVD-2026-19746 HIGH
Incorrect Authorization (CWE-863)
2026-04-07 VulnCheck GHSA-43rx-99w7-v5fh
8.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 16:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 18:00 euvd
EUVD-2026-19746
Analysis Generated
Apr 07, 2026 - 18:00 vuln.today
Patch released
Apr 07, 2026 - 18:00 nvd
Patch available
CVE Published
Apr 07, 2026 - 17:09 nvd
HIGH 8.4

DescriptionCVE.org

OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode.

AnalysisAI

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence over agent tool execution to read arbitrary local files and write/overwrite files outside intended repository boundaries. The vulnerability stems from inconsistent parameter handling where the path parameter is not passed to PermissionChecker in four file operation tools (read_file, write_file, edit_file, notebook_edit), enabling bypass of deny rules to access sensitive credentials, SSH keys, and configuration files. Upstream fix available (PR/commit); released patched version not independently confirmed. EPSS data not available; no public exploit identified at time of analysis.

Technical ContextAI

OpenHarness is an AI agent development framework (HKUDS project) that provides file manipulation tools with permission enforcement mechanisms. The vulnerability exists in the built-in file tools layer where a PermissionChecker component is intended to validate file access against repository scope restrictions. The root cause (CWE-863: Incorrect Authorization) manifests as inconsistent authorization enforcement - while permission checks exist, the critical 'path' parameter required for proper access control validation is omitted when invoking PermissionChecker in four distinct file operation functions. This architectural flaw creates a parameter binding mismatch where the authorization decision is made without knowledge of the actual target path, rendering deny rules ineffective. In full_auto mode, this extends to file creation and overwriting capabilities, amplifying the authorization bypass from read-only to read-write scope violations across the host filesystem.

RemediationAI

Organizations should immediately upgrade to OpenHarness commit 166fcfefb7614dbac51bd061f56542725b0298e9 or later, which addresses the parameter handling inconsistency by ensuring the path parameter is correctly passed to PermissionChecker across all four affected file tools. The patch is available through GitHub pull request #32 (https://github.com/HKUDS/OpenHarness/pull/32) with the specific fix commit at https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9. Until patching is complete, organizations should implement compensating controls including restricting which users can influence agent tool execution, implementing additional filesystem-level access controls through OS permissions or containerization boundaries, disabling full_auto mode if write capabilities are not essential, and monitoring file access patterns for suspicious out-of-scope operations. Detailed vulnerability analysis is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools.

CVE-2026-7551 HIGH
8.7 Apr 30

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c

CVE-2026-40502 HIGH
8.7 Apr 16

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative

CVE-2026-6819 HIGH
8.7 Apr 21

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma

CVE-2026-40515 HIGH
8.7 Apr 17

Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens

CVE-2026-6823 HIGH
8.3 Apr 21

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha

CVE-2026-40516 HIGH
7.8 Apr 17

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attack

CVE-2026-56695 HIGH
7.1 Jun 23

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume

CVE-2026-40503 HIGH
7.1 Apr 16

Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server

CVE-2026-6729 MEDIUM
5.3 Apr 20

Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope

CVE-2026-56696 MEDIUM
5.3 Jun 23

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a

Share

CVE-2026-22682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy