Unrated severityNVD Advisory· Published Jun 23, 2026

OpenHarness - Cross-Session Disclosure via /resume and /summary Commands

CVE-2026-56695

Description

OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Hkuds/Openharnessllm-fuzzy

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/HKUDS/OpenHarness/commit/92e298852c9b9c8c2266236292073623418c640amitrepatch
www.vulncheck.com/advisories/openharness-cross-session-disclosure-via-resume-and-summary-commandsmitrethird-party-advisory
github.com/HKUDS/OpenHarness/pull/276mitreissue-tracking

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000