Which versions of OpenHarness are affected by EUVD-2026-26451?

CVE-2026-7551 is a remote code execution vulnerability in HKUDS OpenHarness that allows authenticated users with remote sender privileges to execute arbitrary commands on affected systems via the…. A patch is available.

OpenHarness EUVD-2026-26451

Q: What is the CVSS score of EUVD-2026-26451?

EUVD-2026-26451 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-7551 HIGH

OS Command Injection (CWE-78)

2026-04-30 VulnCheck

RCE Command Injection

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 30, 2026 - 22:22 vuln.today

cvss_changed

CVSS changed

Apr 30, 2026 - 22:22 NVD

8.8 (HIGH) 8.7 (HIGH)

Source Code Evidence Fetched

Apr 30, 2026 - 22:01 vuln.today

Analysis Generated

Apr 30, 2026 - 22:01 vuln.today

EUVD ID Assigned

Apr 30, 2026 - 21:45 euvd

EUVD-2026-26451

Analysis Generated

Apr 30, 2026 - 21:45 vuln.today

Patch released

Apr 30, 2026 - 21:45 nvd

Patch available

CVE Published

Apr 30, 2026 - 21:29 nvd

HIGH 8.7

DescriptionNVD

HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.

AnalysisAI

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system commands via the /bridge slash command. Attackers with remote sender privileges can invoke '/bridge spawn' with malicious command arguments that bypass input validation and execute directly through the shell subprocess helper, granting access to local files, credentials, workspace state, and repository contents. …

RemediationAI

Within 24 hours: Identify all HKUDS OpenHarness instances and document which have remote sender privileges enabled and are accessible to untrusted users. Within 7 days: Apply vendor patch (commit 438e373) to all instances; verify /bridge command restrictions are enforced for remote invocations via post-patch testing. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-26451 vulnerability details – vuln.today

Back

OpenHarness EUVD-2026-26451

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenHarness EUVD-2026-26451

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code