Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote over chat bridge with low-privilege admitted-sender membership (PR:L), no user interaction, only confidentiality of other sessions impacted (C:H, I:N, A:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.
AnalysisAI
Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume and /summary slash commands, which were incorrectly registered with remote_invocable=True by default, to enumerate and load arbitrary saved session snapshots by ID. Successful exploitation exposes another user's private prompts, credentials, tool outputs, and file paths exchanged through shared gateway channels (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) the OpenHarness ohmo gateway to be running and bridged to a remote chat platform such as Slack, (2) the attacker to be an 'admitted' sender on a shared channel/thread bridged to the victim's gateway (PR:L - membership in the shared chat surface, not OpenHarness authentication), and (3) the attacker to know or guess a target session ID, though /resume with no argument also restores the latest session of the targeted runtime. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N indicates a network-reachable, low-complexity attack requiring only low privileges (an 'admitted' gateway sender - typically anyone with access to a shared Slack channel or thread bridged to the gateway), no user interaction, and resulting in high confidentiality impact with no integrity or availability impact, yielding the 7.1 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who shares a Slack channel or thread bridged into a victim's ohmo gateway sends the message '/resume <guessed-or-enumerated-session-id>' and receives the restored conversation contents - including system prompts, tool output, and any secrets the victim pasted - back into the shared channel, or uses '/summary' to obtain a condensed version. The patch's own test case (test_runtime_pool_blocks_registered_resume_without_listing_or_loading_other_sessions) effectively documents the exploit by demonstrating Bob loading Alice's snapshot containing ALICE_PRIVATE_RESUME_SECRET. |
| Remediation | Upstream fix available (PR/commit https://github.com/HKUDS/OpenHarness/pull/276 and commit 92e298852c9b9c8c2266236292073623418c640a); released patched version not independently confirmed, so pull a build that includes that commit from HKUDS/OpenHarness main and redeploy the ohmo gateway. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all OpenHarness ohmo gateway instances and identify users/channels with cross-session data exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openharness
View allRemote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c
Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative
Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma
Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens
Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha
Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attack
Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server
Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope
Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38467
GHSA-399c-3gm2-p29v