Skip to main content

Openharness CVE-2026-6823

| EUVDEUVD-2026-24505 HIGH
Incorrect Default Permissions (CWE-276)
2026-04-21 VulnCheck GHSA-564h-hx6x-wg47
8.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 21, 2026 - 21:22 NVD
8.2 (HIGH) 8.3 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 21:01 euvd
EUVD-2026-24505
Patch released
Apr 21, 2026 - 21:01 nvd
Patch available
CVE Published
Apr 21, 2026 - 20:36 nvd
HIGH 8.3

DescriptionCVE.org

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.

Analysis

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.

CVE-2026-7551 HIGH
8.7 Apr 30

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c

CVE-2026-40502 HIGH
8.7 Apr 16

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative

CVE-2026-6819 HIGH
8.7 Apr 21

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma

CVE-2026-40515 HIGH
8.7 Apr 17

Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens

CVE-2026-22682 HIGH
8.4 Apr 07

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove

CVE-2026-40516 HIGH
7.8 Apr 17

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attack

CVE-2026-56695 HIGH
7.1 Jun 23

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume

CVE-2026-40503 HIGH
7.1 Apr 16

Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server

CVE-2026-6729 MEDIUM
5.3 Apr 20

Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope

CVE-2026-56696 MEDIUM
5.3 Jun 23

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a

Share

CVE-2026-6823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy