Description
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Session Hijacking / Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

HKUDS OpenHarness includes a session key derivation flaw that omits sender identity verification in shared chats or threads. The flaw permits an authenticated participant to collide with another user's session by reusing their conversation state. As a result, the attacker can hijack the victim's session, replace or interrupt their active tasks, leading to unauthorized privilege escalation within the application. The vulnerability falls under authentication bypass (CWE‑287).

Affected Systems

The affected product is OpenHarness from HKUDS. All releases prior to the fix committed in PR #159 are vulnerable. No precise version numbers are provided, but any installation that has not incorporated the patch is affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the current likelihood of exploitation remains uncertain. An attacker must first be an authenticated user in a shared chat or thread; from that point, hijacking a peer's session can be achieved by colliding into the same session boundary. This creates a privilege escalation path limited to the scope of the shared conversation but still noteworthy for security teams. Based on the description, we infer that the attack is executed by an attacker who is already authenticated and authorized to participate in the shared space; the vulnerability does not appear to be exploitable by unauthenticated users.

Generated by OpenCVE AI on April 20, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from PR #159 to update OpenHarness to a version that verifies sender identity in session key derivation.
  • If immediate patching is not possible, limit or disable shared chat and thread scopes to prevent the collision of session keys.
  • Review and validate that session key handling includes sender identity verification in future releases or custom builds.

Generated by OpenCVE AI on April 20, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.
Title HKUDS OpenHarness Session Key Collision Privilege Escalation
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T22:01:38.766Z

Reserved: 2026-04-20T21:48:49.949Z

Link: CVE-2026-6729

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T22:16:23.800

Modified: 2026-04-20T22:16:23.800

Link: CVE-2026-6729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses