VYPR
High severity8.8NVD Advisory· Published Apr 16, 2026· Updated Apr 23, 2026

CVE-2026-40502

CVE-2026-40502

Description

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Hkuds/Openharness2 versions
    cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*range: <2026-04-13
    • (no CPE)range: <= commit dd1d235

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.