Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an agent session to invoke these tools against loopback, RFC1918, link-local, or other non-public addresses to read response bodies from local development services, cloud metadata endpoints, admin panels, or other private HTTP services reachable from the victim host.
AnalysisAI
Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attackers to manipulate web_fetch and web_search tool parameters, forcing the agent to make HTTP requests to internal infrastructure including RFC1918 private networks, localhost services, and cloud metadata endpoints (e.g., AWS EC2 169.254.169.254). Changed scope (S:C) in CVSS vector indicates potential for pivoting beyond the vulnerable application's trust boundary. EPSS data unavailable; no public exploit identified at time of analysis, though exploitation technique is well-understood for SSRF class vulnerabilities. Patch available via GitHub commit bd4df81.
Technical ContextAI
OpenHarness is an AI agent framework (HKUDS project) that provides tool-calling capabilities to large language models. The vulnerable web_fetch and web_search tools execute HTTP requests on behalf of agents without validating destination addresses against SSRF protection lists. CWE-918 (Server-Side Request Forgery) occurs when applications accept user-controlled URLs and fetch them server-side without restricting access to internal resources. The Changed scope in CVSS:3.1/S:C indicates the vulnerability can affect resources beyond the vulnerable component's authorization scope - classic for SSRF where the server's network position grants access to resources unreachable from the attacker's position. Affected CPE cpe:2.3:a:hkuds:openharness identifies all versions prior to the patched commit. The vulnerability exploits the trust relationship between AI agents and their tool implementations, where LLM-generated parameters pass unchecked to network operations.
RemediationAI
Upgrade to OpenHarness commit bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae or later from https://github.com/HKUDS/OpenHarness (patch confirmed via GitHub commit reference). The fix implements input validation on web_fetch and web_search tool parameters to block requests to private address ranges. For environments unable to immediately upgrade, disable the web_fetch and web_search tools entirely in agent configurations, which eliminates SSRF exposure but removes external web access capabilities from agents. Network-level compensating control: configure egress filtering to block outbound HTTP/HTTPS from OpenHarness processes to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and cloud metadata endpoints (e.g., 169.254.169.254/32 for AWS/GCP/Azure); note this breaks legitimate use cases requiring internal HTTP access and may require allow-listing specific services. Application-level workaround: wrap web_fetch/web_search with a proxy that enforces allowlists of permitted external domains, though this requires code modification and careful maintenance of the allowlist to prevent bypasses.
More in Openharness
View allRemote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c
Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative
Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma
Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens
Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha
Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume
Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server
Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope
Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23452