High severity8.8NVD Advisory· Published Apr 16, 2026· Updated Apr 23, 2026

CVE-2026-40502

Description

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.

Affected products

Hkuds/Openharness
cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*
Range: <2026-04-13

Patches

dd1d235450dd

https://github.com/HKUDS/OpenHarnessvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0afnvdPatch
github.com/HKUDS/OpenHarness/pull/127nvdExploitIssue Tracking
www.vulncheck.com/advisories/openharness-remote-administrative-command-injection-via-gateway-handlernvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000