High severity8.8NVD Advisory· Published Apr 16, 2026· Updated Apr 23, 2026
CVE-2026-40502
CVE-2026-40502
Description
OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*range: <2026-04-13
- (no CPE)range: <= commit dd1d235
Patches
Vulnerability mechanics
References
3- github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0afnvdPatch
- github.com/HKUDS/OpenHarness/pull/127nvdExploitIssue Tracking
- www.vulncheck.com/advisories/openharness-remote-administrative-command-injection-via-gateway-handlernvdThird Party Advisory
News mentions
0No linked articles in our index yet.