Description
OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.
Published: 2026-04-16
Score: 8.7 High
EPSS: 1.4% Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

OpenHarness versions before commit dd1d235450dd987b20bff01b7bfb02fe8620a0af contain a command‑injection flaw in the gateway handler. The handler cannot properly differentiate between local‑only and remote‑safe commands, allowing remote gateway users who have chat access to invoke privileged administrative commands such as "/permissions full_auto". This can change permission modes of a running OpenHarness instance without operator authorization, effectively giving the attacker elevated control.

Affected Systems

The affected product is OpenHarness from HKUDS. Any installation running a version prior to the commit dd1d235450dd987b20bff01b7bfb02fe8620a0af is vulnerable. No specific release numbers are listed, so all impacted instances should be considered until a patch is applied.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation but still possible. Exploitation requires that an attacker possess remote gateway chat access, which is typically granted to authenticated users. While the attack surface is limited to environments that enable chat‑based gateway access, the impact of a successful exploit is significant because it allows alteration of system permissions and potentially broader administrative privileges.

Generated by OpenCVE AI on April 17, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenHarness update that includes commit dd1d235450dd987b20bff01b7bfb02fe8620a0af, which removes the command injection flaw.
  • If an immediate upgrade is not feasible, limit chat permissions so that only non‑administrative users can access the gateway or disable chat‑based command execution entirely.
  • Enable logging of all administrative command executions and monitor logs for unauthorized changes to permission settings.

Generated by OpenCVE AI on April 17, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds openharness
Vendors & Products Hkuds
Hkuds openharness

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.
Title OpenHarness Remote Administrative Command Injection via Gateway Handler
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hkuds Openharness
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-16T14:19:24.128Z

Reserved: 2026-04-13T20:29:02.808Z

Link: CVE-2026-40502

cve-icon Vulnrichment

Updated: 2026-04-16T14:19:18.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-16T01:16:11.250

Modified: 2026-04-23T19:48:16.540

Link: CVE-2026-40502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:30:11Z

Weaknesses