CVE-2026-40502

Published: Apr 16, 2026

Modified: Apr 16, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.

Vendor	Product	Versions
HKUDS	OpenHarness	affected `0 - < dd1d235450dd987b20bff01b7bfb02fe8620a0af`

Weaknesses (CWE)

CWE-862

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/HKUDS/OpenHarness/pull/127

issue-tracking

https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af

patch

https://www.vulncheck.com/advisories/openharness-remote-administrative-command-injection-via-gateway-handler

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-40502

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References