HKUDS OpenHarness CVE-2026-6819

| EUVD-2026-24292 HIGH
Incorrect Default Permissions (CWE-276)
2026-04-21 VulnCheck GHSA-3xqw-r49f-5rj8
Privilege Escalation Openharness
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 21, 2026 - 20:51 vuln.today
CVSS changed
Apr 21, 2026 - 20:22 NVD
8.8 (HIGH) 8.7 (HIGH)

DescriptionNVD

HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.

AnalysisAI

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management commands. Pre-PR#156 versions expose /plugin install, /plugin enable, /plugin disable, and /reload-plugins endpoints to unauthenticated remote senders via the channel layer, allowing complete control over plugin trust and activation state. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6819 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy