Description
HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.
Published: 2026-04-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized plugin installation and activation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from HKUDS OpenHarness exposing plugin lifecycle commands, such as "/plugin install", "/plugin enable", "/plugin disable", and "/reload-plugins", through its channel layer by default. This exposure allows an attacker that can reach the channel layer to remotely manage plugin trust and activation state, enabling the installation and activation of unauthorized plugins. The flaw is a misconfiguration related to privilege management, identified as CWE–276, and the CVSS score of 8.7 reflects the high impact of potential unauthorized code execution.

Affected Systems

The affected platform is HKUDS OpenHarness. All versions prior to the remediation commit merged in PR #156 suffer from the exposure. The patch is available in the v0.1.7 release, which incorporates the fix that restricts plugin lifecycle endpoints to authorized users only.

Risk and Exploitability

The vulnerability can be exploited by any remote sender that can access the channel layer, with no additional authentication required. Attackers can trigger unsafe plugin state changes, potentially elevating their privileges or injecting malicious code. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of exposure controls combined with the high CVSS indicates a significant risk for systems that have not applied the latest patch.

Generated by OpenCVE AI on April 22, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenHarness to the latest release v0.1.7 or later to apply the patch from PR #156.
  • Configure the channel layer to restrict access to trusted users only, for example by enforcing authentication or by limiting traffic with firewall rules targeting the plugin management endpoints.
  • Verify that the plugin lifecycle endpoints are no longer publicly accessible and that they require proper authorization before execution.

Generated by OpenCVE AI on April 22, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds openharness
Vendors & Products Hkuds
Hkuds openharness

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.
Title HKUDS OpenHarness Plugin Management Command Exposure
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hkuds Openharness
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T14:23:44.338Z

Reserved: 2026-04-21T19:22:21.465Z

Link: CVE-2026-6819

cve-icon Vulnrichment

Updated: 2026-04-22T13:28:29.365Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:05.780

Modified: 2026-04-22T14:17:07.063

Link: CVE-2026-6819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:23Z

Weaknesses