Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process without filesystem containment validation.
AnalysisAI
Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server via the '/memory show' slash command. Affecting all versions prior to commit dd1d235, attackers can inject directory traversal sequences to escape the project memory directory and access any file readable by the OpenHarness process. CVSS 7.1 reflects high confidentiality impact with low-privilege network access. Vendor patch available via GitHub commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. No public exploit identified at time of analysis, EPSS data unavailable.
Technical ContextAI
OpenHarness is an AI model orchestration framework (HKUDS/OpenHarness). The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the slash command handler for '/memory show'. This command appears designed to retrieve project memory artifacts from a designated directory, but fails to validate or sanitize the path parameter before filesystem operations. Classic path traversal vectors like '../../../etc/passwd' can be injected to navigate outside the intended directory boundary. The affected component processes user-supplied path input without canonicalization, allowing relative path sequences to resolve to arbitrary filesystem locations within the process permission scope. This affects the cpe:2.3:a:hkuds:openharness product across all pre-patch versions.
RemediationAI
Vendor-released patch: commit dd1d235450dd987b20bff01b7bfb02fe8620a0af on GitHub (https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af). Upgrade OpenHarness to any version containing this commit or later by pulling the latest code from the main branch and rebuilding. Review GitHub Pull Request #127 (https://github.com/HKUDS/OpenHarness/pull/127) for implementation details. If immediate patching is not feasible, implement compensating controls: (1) Run the OpenHarness process with a dedicated least-privilege service account that has read access ONLY to necessary directories, preventing traversal to sensitive system files - verify permissions exclude /etc, /root, credential stores; (2) Restrict chat access authentication to trusted users only, reducing the authenticated attacker pool; (3) Deploy filesystem-level access controls (AppArmor, SELinux) to confine the OpenHarness process to its working directory; (4) Monitor filesystem access logs for suspicious read patterns outside expected paths. Note that restricting chat access does not eliminate the vulnerability for authorized users who may be compromised or malicious insiders.
More in Openharness
View allRemote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c
Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative
Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma
Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens
Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha
Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attack
Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume
Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope
Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23143