Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.
Analysis
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.
More in Openharness
View allRemote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c
Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative
Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma
Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens
Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove
Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attack
Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume
Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server
Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope
Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24505
GHSA-564h-hx6x-wg47