Skip to main content

OpenHarness CVE-2026-7551

| EUVDEUVD-2026-26451 HIGH
OS Command Injection (CWE-78)
2026-04-30 VulnCheck
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 30, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 22:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
Apr 30, 2026 - 22:01 vuln.today
Analysis Generated
Apr 30, 2026 - 22:01 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:45 euvd
EUVD-2026-26451
Analysis Generated
Apr 30, 2026 - 21:45 vuln.today
Patch released
Apr 30, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 30, 2026 - 21:29 nvd
HIGH 8.7

DescriptionCVE.org

HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.

AnalysisAI

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system commands via the /bridge slash command. Attackers with remote sender privileges can invoke '/bridge spawn' with malicious command arguments that bypass input validation and execute directly through the shell subprocess helper, granting access to local files, credentials, workspace state, and repository contents. Vendor-released patch available (commit 438e373) that restricts /bridge to local-only invocation by default.

Technical ContextAI

OpenHarness is an AI-powered development harness that implements a slash command system for managing bridge sessions and runtime environments. The vulnerability exists in the command registry implementation (src/openharness/commands/registry.py) where the /bridge command was registered without the remote_invocable=False flag, allowing remote message sources (Feishu, Slack, etc.) to invoke bridge session spawning. The underlying issue is CWE-78 (OS Command Injection) where user-controlled text from the /bridge spawn command is passed to a shared shell subprocess helper without sanitization. The architecture uses a gateway/runtime pool pattern where inbound messages from multiple channels are routed to command handlers. Prior to the patch, remote senders accepted by configuration could reach the _bridge_handler, which forwards spawn arguments directly to the bridge session manager's shell execution layer.

RemediationAI

Apply vendor-released patch by updating to OpenHarness commit 438e37309778e19060dfe7b172eb142e543c4cd6 or later from the main branch (https://github.com/HKUDS/OpenHarness/commit/438e37309778e19060dfe7b172eb142e543c4cd6). The patch modifies src/openharness/commands/registry.py to register the /bridge command with remote_invocable=False and remote_admin_opt_in=True flags, blocking remote invocation by default while allowing administrators to explicitly enable it if needed. For organizations requiring remote /bridge access, carefully review security implications and implement strict authentication/authorization controls before enabling remote_admin_opt_in. Interim workaround (with operational trade-offs): disable all remote message channel integrations (Feishu/Slack connectors) and restrict OpenHarness access to local UI only, which eliminates the network attack vector but breaks remote collaboration workflows. Alternatively, implement network-level controls to restrict remote message channel access to trusted IP ranges and monitor /bridge command invocations in application logs, though this does not prevent exploitation by authenticated malicious insiders. Verify patch effectiveness by running the new test cases in tests/test_ohmo/test_gateway.py::test_runtime_pool_blocks_bridge_spawn_from_remote_messages.

CVE-2026-40502 HIGH
8.7 Apr 16

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative

CVE-2026-6819 HIGH
8.7 Apr 21

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma

CVE-2026-40515 HIGH
8.7 Apr 17

Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens

CVE-2026-22682 HIGH
8.4 Apr 07

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove

CVE-2026-6823 HIGH
8.3 Apr 21

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha

CVE-2026-40516 HIGH
7.8 Apr 17

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attack

CVE-2026-56695 HIGH
7.1 Jun 23

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume

CVE-2026-40503 HIGH
7.1 Apr 16

Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server

CVE-2026-6729 MEDIUM
5.3 Apr 20

Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope

CVE-2026-56696 MEDIUM
5.3 Jun 23

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a

Share

CVE-2026-7551 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy