Skip to main content

Openharness EUVDEUVD-2026-23452

| CVE-2026-40516 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-17 VulnCheck
7.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Apr 17, 2026 - 17:22 NVD
8.3 (HIGH) 7.8 (HIGH)
Analysis Generated
Apr 17, 2026 - 17:03 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 16:45 euvd
EUVD-2026-23452
Analysis Generated
Apr 17, 2026 - 16:45 vuln.today
Patch released
Apr 17, 2026 - 16:45 nvd
Patch available
CVE Published
Apr 17, 2026 - 16:02 nvd
HIGH 7.8

DescriptionCVE.org

OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an agent session to invoke these tools against loopback, RFC1918, link-local, or other non-public addresses to read response bodies from local development services, cloud metadata endpoints, admin panels, or other private HTTP services reachable from the victim host.

AnalysisAI

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attackers to manipulate web_fetch and web_search tool parameters, forcing the agent to make HTTP requests to internal infrastructure including RFC1918 private networks, localhost services, and cloud metadata endpoints (e.g., AWS EC2 169.254.169.254). Changed scope (S:C) in CVSS vector indicates potential for pivoting beyond the vulnerable application's trust boundary. EPSS data unavailable; no public exploit identified at time of analysis, though exploitation technique is well-understood for SSRF class vulnerabilities. Patch available via GitHub commit bd4df81.

Technical ContextAI

OpenHarness is an AI agent framework (HKUDS project) that provides tool-calling capabilities to large language models. The vulnerable web_fetch and web_search tools execute HTTP requests on behalf of agents without validating destination addresses against SSRF protection lists. CWE-918 (Server-Side Request Forgery) occurs when applications accept user-controlled URLs and fetch them server-side without restricting access to internal resources. The Changed scope in CVSS:3.1/S:C indicates the vulnerability can affect resources beyond the vulnerable component's authorization scope - classic for SSRF where the server's network position grants access to resources unreachable from the attacker's position. Affected CPE cpe:2.3:a:hkuds:openharness identifies all versions prior to the patched commit. The vulnerability exploits the trust relationship between AI agents and their tool implementations, where LLM-generated parameters pass unchecked to network operations.

RemediationAI

Upgrade to OpenHarness commit bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae or later from https://github.com/HKUDS/OpenHarness (patch confirmed via GitHub commit reference). The fix implements input validation on web_fetch and web_search tool parameters to block requests to private address ranges. For environments unable to immediately upgrade, disable the web_fetch and web_search tools entirely in agent configurations, which eliminates SSRF exposure but removes external web access capabilities from agents. Network-level compensating control: configure egress filtering to block outbound HTTP/HTTPS from OpenHarness processes to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and cloud metadata endpoints (e.g., 169.254.169.254/32 for AWS/GCP/Azure); note this breaks legitimate use cases requiring internal HTTP access and may require allow-listing specific services. Application-level workaround: wrap web_fetch/web_search with a proxy that enforces allowlists of permitted external domains, though this requires code modification and careful maintenance of the allowlist to prevent bypasses.

CVE-2026-7551 HIGH
8.7 Apr 30

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c

CVE-2026-40502 HIGH
8.7 Apr 16

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative

CVE-2026-6819 HIGH
8.7 Apr 21

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma

CVE-2026-40515 HIGH
8.7 Apr 17

Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens

CVE-2026-22682 HIGH
8.4 Apr 07

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove

CVE-2026-6823 HIGH
8.3 Apr 21

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha

CVE-2026-56695 HIGH
7.1 Jun 23

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume

CVE-2026-40503 HIGH
7.1 Apr 16

Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server

CVE-2026-6729 MEDIUM
5.3 Apr 20

Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope

CVE-2026-56696 MEDIUM
5.3 Jun 23

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a

Share

EUVD-2026-23452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy