Impact
OpenHarness allows users to trigger slash commands – /issue and /pr_comments – in any channel that has access to the bot. The commands lack the remote_invocable=False safeguard, which means remote users can send crafted messages that write arbitrary Markdown into project context files. Attackers can place malicious content into .openharness/issue.md and .openharness/pr_comments.md. These files are later read and injected into runtime system prompts, providing the attacker with persistent influence over local agent behavior. The weakness is an access control flaw classified under CWE‑862 and can lead to tampering with automated decision logic.
Affected Systems
The vulnerability affects the OpenHarness platform developed by HKUDS. Although the advisory does not specify exact releases, the missing protection applies to all currently available OpenHarness versions, so any deployed instance may be impacted.
Risk and Exploitability
The CVSS score of 5.3 categorizes this as a medium severity vulnerability. EPSS data is not available, and the weakness is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker sending a crafted slash command to an allowed channel. By injecting Markdown into the project context files, the attacker can modify the prompts that local agents consume, enabling ongoing manipulation without requiring privileged local access. This path requires only remote communication with the relevant channel and does not necessitate additional credentials.
OpenCVE Enrichment