Description
OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenHarness allows users to trigger slash commands – /issue and /pr_comments – in any channel that has access to the bot. The commands lack the remote_invocable=False safeguard, which means remote users can send crafted messages that write arbitrary Markdown into project context files. Attackers can place malicious content into .openharness/issue.md and .openharness/pr_comments.md. These files are later read and injected into runtime system prompts, providing the attacker with persistent influence over local agent behavior. The weakness is an access control flaw classified under CWE‑862 and can lead to tampering with automated decision logic.

Affected Systems

The vulnerability affects the OpenHarness platform developed by HKUDS. Although the advisory does not specify exact releases, the missing protection applies to all currently available OpenHarness versions, so any deployed instance may be impacted.

Risk and Exploitability

The CVSS score of 5.3 categorizes this as a medium severity vulnerability. EPSS data is not available, and the weakness is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker sending a crafted slash command to an allowed channel. By injecting Markdown into the project context files, the attacker can modify the prompts that local agents consume, enabling ongoing manipulation without requiring privileged local access. This path requires only remote communication with the relevant channel and does not necessitate additional credentials.

Generated by OpenCVE AI on June 24, 2026 at 11:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced in commit 27bb93b810e9ea8fa4832eab7152eeb3b4a6bffb, which restores the remote_invocable protection on the /issue and /pr_comments commands.
  • Restrict the use of the /issue and /pr_comments slash commands to trusted or authenticated channels, ensuring that only authorized users or bot accounts can invoke them.
  • Change file permissions for .openharness/issue.md and .openharness/pr_comments.md so that only privileged users or automated processes may modify them.

Generated by OpenCVE AI on June 24, 2026 at 11:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*

Tue, 23 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds openharness
Vendors & Products Hkuds
Hkuds openharness

Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior.
Title OpenHarness - Prompt Injection via /issue and /pr_comments Slash Commands
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Hkuds Openharness
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:18.100Z

Reserved: 2026-06-22T17:09:16.556Z

Link: CVE-2026-56696

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:30:03Z

Weaknesses