HKUDS OpenHarness versions before commit 166fcfe contain a CWE-863 improper authorization vulnerability in built-in file tools. The root cause is inconsistent handling of the path parameter in permission enforcement, where read_file, write_file, edit_file, and notebook_edit tools fail to pass the path parameter to the PermissionChecker. This flaw allows attackers who can influence the execution of these agent tools with low privileges to bypass access controls and read or write arbitrary files outside the intended repository scope, including sensitive configuration files, credentials, and SSH keys. The vulnerability affects local access scenarios and does not require user interaction or elevated privileges beyond low-level agent execution control.

Successful exploitation allows an attacker with limited local privileges to bypass access control restrictions and read or modify arbitrary files on the host system. This can lead to disclosure of sensitive information such as configuration files, credentials, and SSH keys, or unauthorized file creation and modification in restricted paths. The vulnerability has a CVSS 4.0 score of 8.4 (high severity), indicating significant impact on confidentiality and integrity in affected environments.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or patch is released, restrict access to the affected OpenHarness agent tools to trusted users only and monitor for unauthorized use. Avoid running these tools in environments where untrusted users can influence their execution. Review and update permission enforcement logic to ensure the path parameter is consistently checked by the PermissionChecker in all relevant tools.