Skip to main content

Openharness

11 CVEs product

Monthly

CVE-2026-56696 MEDIUM PATCH This Month

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI agent system prompts by exploiting unguarded /issue and /pr_comments slash commands. Any authenticated member of a connected remote channel (e.g., Slack via the ohmo gateway) can write arbitrary attacker-controlled Markdown into .openharness/issue.md and .openharness/pr_comments.md, which are subsequently injected into the agent's runtime system prompt on every subsequent invocation. No public exploit or CISA KEV listing exists at time of analysis, but the upstream patch (PR #272, commit 27bb93b) confirms the vulnerability and its mechanism.

Authentication Bypass Openharness
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56695 HIGH PATCH This Week

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume and /summary slash commands, which were incorrectly registered with remote_invocable=True by default, to enumerate and load arbitrary saved session snapshots by ID. Successful exploitation exposes another user's private prompts, credentials, tool outputs, and file paths exchanged through shared gateway channels (e.g. Slack threads). No public exploit identified at time of analysis, but a vendor patch and detailed test cases (PR #276) make the issue easy to weaponize.

Authentication Bypass Openharness
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-7551 HIGH PATCH This Week

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system commands via the /bridge slash command. Attackers with remote sender privileges can invoke '/bridge spawn' with malicious command arguments that bypass input validation and execute directly through the shell subprocess helper, granting access to local files, credentials, workspace state, and repository contents. Vendor-released patch available (commit 438e373) that restricts /bridge to local-only invocation by default.

Command Injection RCE Openharness
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-6823 HIGH PATCH This Week

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.

Privilege Escalation Openharness
NVD GitHub
CVSS 4.0
8.3
EPSS
0.1%
CVE-2026-6819 HIGH PATCH This Week

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management commands. Pre-PR#156 versions expose /plugin install, /plugin enable, /plugin disable, and /reload-plugins endpoints to unauthenticated remote senders via the channel layer, allowing complete control over plugin trust and activation state. Vendor patch available in v0.1.7 (commit 59017e0). CVSS 8.7 with network vector and no authentication required, though user interaction is needed. No active exploitation confirmed (not in CISA KEV), but VulnCheck advisory and GitHub references provide technical details that could facilitate exploitation.

Privilege Escalation Openharness
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6729 MEDIUM This Month

Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scopes, allowing authenticated users to hijack other participants' sessions and disrupt their active tasks through collision attacks on the shared ohmo session key. The vulnerability requires prior authentication and network access but enables lateral privilege escalation within collaborative environments. No public exploit code has been identified, though the fix is available via upstream commit 3186851c.

Authentication Bypass Openharness
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-40516 HIGH PATCH This Week

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attackers to manipulate web_fetch and web_search tool parameters, forcing the agent to make HTTP requests to internal infrastructure including RFC1918 private networks, localhost services, and cloud metadata endpoints (e.g., AWS EC2 169.254.169.254). Changed scope (S:C) in CVSS vector indicates potential for pivoting beyond the vulnerable application's trust boundary. EPSS data unavailable; no public exploit identified at time of analysis, though exploitation technique is well-understood for SSRF class vulnerabilities. Patch available via GitHub commit bd4df81.

SSRF Openharness
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-40515 HIGH PATCH This Week

Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sensitive files via crafted grep/glob operations. The incomplete path normalization in permission checking allows exploitation of built-in tools to access sensitive root directories, key material, and configuration files despite configured access controls. CVSS 7.5 (High) with network vector and no authentication required. EPSS data not provided. No CISA KEV listing identified, indicating no confirmed widespread active exploitation at time of analysis. Vendor patch available via GitHub commit bd4df81.

Authentication Bypass Openharness
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40502 HIGH PATCH This Week

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative commands like /permissions full_auto without authorization, escalating privileges to modify security controls of running instances. Vulnerability exploits insufficient command validation in chat interface. Fixed in commit dd1d235. CVSS 8.7 (High) with network attack vector and low complexity. EPSS data unavailable; not listed in CISA KEV. VulnCheck advisory and GitHub patch available.

Authentication Bypass Command Injection Openharness
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-40503 HIGH PATCH This Week

Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server via the '/memory show' slash command. Affecting all versions prior to commit dd1d235, attackers can inject directory traversal sequences to escape the project memory directory and access any file readable by the OpenHarness process. CVSS 7.1 reflects high confidentiality impact with low-privilege network access. Vendor patch available via GitHub commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. No public exploit identified at time of analysis, EPSS data unavailable.

Path Traversal Openharness
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-22682 HIGH PATCH This Week

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence over agent tool execution to read arbitrary local files and write/overwrite files outside intended repository boundaries. The vulnerability stems from inconsistent parameter handling where the path parameter is not passed to PermissionChecker in four file operation tools (read_file, write_file, edit_file, notebook_edit), enabling bypass of deny rules to access sensitive credentials, SSH keys, and configuration files. Upstream fix available (PR/commit); released patched version not independently confirmed. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass Openharness
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI agent system prompts by exploiting unguarded /issue and /pr_comments slash commands. Any authenticated member of a connected remote channel (e.g., Slack via the ohmo gateway) can write arbitrary attacker-controlled Markdown into .openharness/issue.md and .openharness/pr_comments.md, which are subsequently injected into the agent's runtime system prompt on every subsequent invocation. No public exploit or CISA KEV listing exists at time of analysis, but the upstream patch (PR #272, commit 27bb93b) confirms the vulnerability and its mechanism.

Authentication Bypass Openharness
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume and /summary slash commands, which were incorrectly registered with remote_invocable=True by default, to enumerate and load arbitrary saved session snapshots by ID. Successful exploitation exposes another user's private prompts, credentials, tool outputs, and file paths exchanged through shared gateway channels (e.g. Slack threads). No public exploit identified at time of analysis, but a vendor patch and detailed test cases (PR #276) make the issue easy to weaponize.

Authentication Bypass Openharness
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system commands via the /bridge slash command. Attackers with remote sender privileges can invoke '/bridge spawn' with malicious command arguments that bypass input validation and execute directly through the shell subprocess helper, granting access to local files, credentials, workspace state, and repository contents. Vendor-released patch available (commit 438e373) that restricts /bridge to local-only invocation by default.

Command Injection RCE Openharness
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.

Privilege Escalation Openharness
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management commands. Pre-PR#156 versions expose /plugin install, /plugin enable, /plugin disable, and /reload-plugins endpoints to unauthenticated remote senders via the channel layer, allowing complete control over plugin trust and activation state. Vendor patch available in v0.1.7 (commit 59017e0). CVSS 8.7 with network vector and no authentication required, though user interaction is needed. No active exploitation confirmed (not in CISA KEV), but VulnCheck advisory and GitHub references provide technical details that could facilitate exploitation.

Privilege Escalation Openharness
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scopes, allowing authenticated users to hijack other participants' sessions and disrupt their active tasks through collision attacks on the shared ohmo session key. The vulnerability requires prior authentication and network access but enables lateral privilege escalation within collaborative environments. No public exploit code has been identified, though the fix is available via upstream commit 3186851c.

Authentication Bypass Openharness
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Server-Side Request Forgery in OpenHarness AI agent framework (pre-commit bd4df81) permits remote unauthenticated attackers to manipulate web_fetch and web_search tool parameters, forcing the agent to make HTTP requests to internal infrastructure including RFC1918 private networks, localhost services, and cloud metadata endpoints (e.g., AWS EC2 169.254.169.254). Changed scope (S:C) in CVSS vector indicates potential for pivoting beyond the vulnerable application's trust boundary. EPSS data unavailable; no public exploit identified at time of analysis, though exploitation technique is well-understood for SSRF class vulnerabilities. Patch available via GitHub commit bd4df81.

SSRF Openharness
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote unauthenticated attackers can bypass path restrictions in OpenHarness (pre-commit bd4df81) to read arbitrary sensitive files via crafted grep/glob operations. The incomplete path normalization in permission checking allows exploitation of built-in tools to access sensitive root directories, key material, and configuration files despite configured access controls. CVSS 7.5 (High) with network vector and no authentication required. EPSS data not provided. No CISA KEV listing identified, indicating no confirmed widespread active exploitation at time of analysis. Vendor patch available via GitHub commit bd4df81.

Authentication Bypass Openharness
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative commands like /permissions full_auto without authorization, escalating privileges to modify security controls of running instances. Vulnerability exploits insufficient command validation in chat interface. Fixed in commit dd1d235. CVSS 8.7 (High) with network attack vector and low complexity. EPSS data unavailable; not listed in CISA KEV. VulnCheck advisory and GitHub patch available.

Authentication Bypass Command Injection Openharness
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server via the '/memory show' slash command. Affecting all versions prior to commit dd1d235, attackers can inject directory traversal sequences to escape the project memory directory and access any file readable by the OpenHarness process. CVSS 7.1 reflects high confidentiality impact with low-privilege network access. Vendor patch available via GitHub commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. No public exploit identified at time of analysis, EPSS data unavailable.

Path Traversal Openharness
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence over agent tool execution to read arbitrary local files and write/overwrite files outside intended repository boundaries. The vulnerability stems from inconsistent parameter handling where the path parameter is not passed to PermissionChecker in four file operation tools (read_file, write_file, edit_file, notebook_edit), enabling bypass of deny rules to access sensitive credentials, SSH keys, and configuration files. Upstream fix available (PR/commit); released patched version not independently confirmed. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass Openharness
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy