CVE-2025-26691 is a medium-severity vulnerability affecting OpenHarmony versions 5.0.3 and prior, specifically identified in version 5.0.1. The issue is classified under CWE-281, which relates to improper preservation of permissions. This vulnerability allows a local attacker with limited privileges (low privileges, requiring local access) to cause an information leak by exploiting flaws in the permission checking mechanism when invoking the 'get permission' functionality. The vulnerability does not require user interaction and does not affect system integrity or availability but results in a high impact on confidentiality by exposing sensitive information that should have been protected by proper permission enforcement. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms that the attack vector is local, with low attack complexity, requiring low privileges, no user interaction, unchanged scope, and high confidentiality impact without affecting integrity or availability. No known exploits are reported in the wild, and no patches have been linked yet, indicating that mitigation may currently rely on vendor updates or configuration changes. The vulnerability arises from improper permission preservation, meaning that the system fails to maintain or enforce correct permission states when handling permission queries, allowing unauthorized access to sensitive data by local users.

For European organizations, the primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information within systems running OpenHarmony, particularly in environments where local access is possible, such as shared workstations, kiosks, or devices in multi-user settings. Confidentiality breaches could lead to exposure of personal data, intellectual property, or operational details, which may violate GDPR and other data protection regulations, resulting in legal and reputational consequences. Since OpenHarmony is an open-source operating system designed for IoT and embedded devices, organizations deploying it in critical infrastructure, manufacturing, or smart city applications could face increased risks of information leakage that might facilitate further attacks or espionage. The lack of impact on integrity and availability reduces the risk of direct system disruption but does not diminish the importance of protecting sensitive data. The medium severity suggests that while exploitation requires local access, the consequences of data leakage are significant enough to warrant prompt attention.

To mitigate CVE-2025-26691, European organizations should: 1) Monitor OpenHarmony vendor communications closely for official patches or updates addressing this vulnerability and apply them promptly once available. 2) Restrict local access to devices running vulnerable OpenHarmony versions by enforcing strict physical security controls and user authentication mechanisms to limit the pool of potential attackers. 3) Implement role-based access controls and audit permission configurations to ensure that only authorized users can query sensitive permissions or data. 4) Employ endpoint detection and response (EDR) tools capable of monitoring unusual local access patterns or permission queries that could indicate exploitation attempts. 5) Where feasible, isolate OpenHarmony devices in network segments with limited exposure and enforce strict network access controls to reduce the risk of lateral movement after local compromise. 6) Conduct regular security assessments and penetration testing focusing on local privilege escalation and information disclosure vectors to identify and remediate similar permission-related weaknesses proactively.