High severity8.8NVD Advisory· Published Apr 30, 2026· Updated May 4, 2026
CVE-2026-7551
CVE-2026-7551
Description
HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*range: <2026-04-27
- (no CPE)
Patches
Vulnerability mechanics
References
3- github.com/HKUDS/OpenHarness/commit/438e37309778e19060dfe7b172eb142e543c4cd6nvdPatch
- github.com/HKUDS/OpenHarness/pull/208nvdExploitIssue TrackingPatchThird Party Advisory
- www.vulncheck.com/advisories/hkuds-openharness-remote-command-execution-via-bridge-slash-commandnvdThird Party Advisory
News mentions
0No linked articles in our index yet.