Description
OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an agent session to invoke these tools against loopback, RFC1918, link-local, or other non-public addresses to read response bodies from local development services, cloud metadata endpoints, admin panels, or other private HTTP services reachable from the victim host.
Published: 2026-04-17
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery allowing access to internal or private services
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in OpenHarness's web_fetch and web_search utilities. By manipulating the parameters supplied to these tools, an attacker can direct the server to perform HTTP requests to arbitrary addresses without validation. This lack of validation leads to server-side request forgery, enabling the attacker to read response bodies from services that are normally inaccessible from the external network, such as local development servers, cloud metadata endpoints, and administration panels.

Affected Systems

The flaw is present in all OpenHarness installations that use the web_fetch or web_search features before the commit bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae. The affected product is OpenHarness, classified under the HKUDS vendor. No version numbers are supplied beyond the commit, so any deployment using a pre‑patch copy of the code is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, though the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited prior exploitation. The likely attack vector is an authenticated or unauthenticated agent session that can trigger the web_fetch or web_search commands. If the attacker can submit crafted parameters through these tools, they can access private services tied to the victim host, potentially exposing sensitive configuration data or internal APIs. Operational impact ranges from data leakage to potential pivoting within the network, depending on the services accessed.

Generated by OpenCVE AI on April 18, 2026 at 09:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that fixes the vulnerability by installing the code after commit bd4df81 or upgrading to the latest release of OpenHarness that contains the fix.
  • Restrict the execution of web_fetch and web_search commands to privileged accounts or isolate the host from public networks to reduce attack surface.
  • If the tools are not required, disable or remove them from the deployment to eliminate the flaw.

Generated by OpenCVE AI on April 18, 2026 at 09:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds openharness
Vendors & Products Hkuds
Hkuds openharness

Fri, 17 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an agent session to invoke these tools against loopback, RFC1918, link-local, or other non-public addresses to read response bodies from local development services, cloud metadata endpoints, admin panels, or other private HTTP services reachable from the victim host.
Title OpenHarness SSRF via web_fetch and web_search
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:L'}

Subscriptions

Hkuds Openharness
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-17T16:27:11.780Z

Reserved: 2026-04-13T20:29:02.809Z

Link: CVE-2026-40516

cve-icon Vulnrichment

Updated: 2026-04-17T16:26:57.697Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T17:17:09.327

Modified: 2026-04-17T19:01:56.030

Link: CVE-2026-40516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses