HKUDS OpenHarness includes a session key derivation flaw that omits sender identity verification in shared chats or threads. The flaw permits an authenticated participant to collide with another user's session by reusing their conversation state. As a result, the attacker can hijack the victim's session, replace or interrupt their active tasks, leading to unauthorized privilege escalation within the application. The vulnerability falls under authentication bypass (CWE‑287).

The affected product is OpenHarness from HKUDS. All releases prior to the fix committed in PR #159 are vulnerable. No precise version numbers are provided, but any installation that has not incorporated the patch is affected.

The CVSS score of 5.3 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the current likelihood of exploitation remains uncertain. An attacker must first be an authenticated user in a shared chat or thread; from that point, hijacking a peer's session can be achieved by colliding into the same session boundary. This creates a privilege escalation path limited to the scope of the shared conversation but still noteworthy for security teams. Based on the description, we infer that the attack is executed by an attacker who is already authenticated and authorized to participate in the shared space; the vulnerability does not appear to be exploitable by unauthenticated users.