Skip to main content

OpenHarness EUVDEUVD-2026-38467

| CVE-2026-56695 HIGH
Missing Authorization (CWE-862)
2026-06-23 VulnCheck GHSA-399c-3gm2-p29v
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Remote over chat bridge with low-privilege admitted-sender membership (PR:L), no user interaction, only confidentiality of other sessions impacted (C:H, I:N, A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 16:00 vuln.today
Analysis Generated
Jun 23, 2026 - 16:00 vuln.today

DescriptionCVE.org

OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.

AnalysisAI

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume and /summary slash commands, which were incorrectly registered with remote_invocable=True by default, to enumerate and load arbitrary saved session snapshots by ID. Successful exploitation exposes another user's private prompts, credentials, tool outputs, and file paths exchanged through shared gateway channels (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join shared bridged chat channel
Delivery
Send /resume or /summary with target session ID
Exploit
Gateway dispatches remote-invocable command
Execution
Handler loads victim snapshot from workspace store
Persist
Snapshot contents returned to attacker's channel message
Impact
Exfiltrate prompts, credentials, and tool output

Vulnerability AssessmentAI

Exploitation Requires (1) the OpenHarness ohmo gateway to be running and bridged to a remote chat platform such as Slack, (2) the attacker to be an 'admitted' sender on a shared channel/thread bridged to the victim's gateway (PR:L - membership in the shared chat surface, not OpenHarness authentication), and (3) the attacker to know or guess a target session ID, though /resume with no argument also restores the latest session of the targeted runtime. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N indicates a network-reachable, low-complexity attack requiring only low privileges (an 'admitted' gateway sender - typically anyone with access to a shared Slack channel or thread bridged to the gateway), no user interaction, and resulting in high confidentiality impact with no integrity or availability impact, yielding the 7.1 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who shares a Slack channel or thread bridged into a victim's ohmo gateway sends the message '/resume <guessed-or-enumerated-session-id>' and receives the restored conversation contents - including system prompts, tool output, and any secrets the victim pasted - back into the shared channel, or uses '/summary' to obtain a condensed version. The patch's own test case (test_runtime_pool_blocks_registered_resume_without_listing_or_loading_other_sessions) effectively documents the exploit by demonstrating Bob loading Alice's snapshot containing ALICE_PRIVATE_RESUME_SECRET.
Remediation Upstream fix available (PR/commit https://github.com/HKUDS/OpenHarness/pull/276 and commit 92e298852c9b9c8c2266236292073623418c640a); released patched version not independently confirmed, so pull a build that includes that commit from HKUDS/OpenHarness main and redeploy the ohmo gateway. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all OpenHarness ohmo gateway instances and identify users/channels with cross-session data exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-7551 HIGH
8.7 Apr 30

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system c

CVE-2026-40502 HIGH
8.7 Apr 16

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative

CVE-2026-6819 HIGH
8.7 Apr 21

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management comma

CVE-2026-40515 HIGH
8.7 Apr 17

Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sens

CVE-2026-22682 HIGH
8.4 Apr 07

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence ove

CVE-2026-6823 HIGH
8.3 Apr 21

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha

CVE-2026-40516 HIGH
7.8 Apr 17

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attack

CVE-2026-40503 HIGH
7.1 Apr 16

Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server

CVE-2026-6729 MEDIUM
5.3 Apr 20

Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scope

CVE-2026-56696 MEDIUM
5.3 Jun 23

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI a

Share

EUVD-2026-38467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy