CVE-2026-56695: Missing Authorization in HKUDS OpenHarness
CVE-2026-56695 is a high-severity vulnerability in HKUDS OpenHarness versions up to 0.1.9. The ohmo gateway's /resume and /summary commands have their remote_invocable setting defaulted to True, which allows authorized remote users to enumerate and load arbitrary session snapshots by ID. This can expose private prompts, credentials, tool outputs, and file paths through shared gateway channels.
AI Analysis
Technical Summary
The vulnerability in HKUDS OpenHarness arises because the /resume and /summary slash commands are configured with remote_invocable set to True by default. This misconfiguration permits admitted remote senders to enumerate and load session snapshots arbitrarily by their IDs. Exploiting this flaw enables attackers to access sensitive data contained in victim snapshots, including private prompts, credentials, tool output, and file paths, via shared gateway channels. The CVSS 4.0 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required beyond admitted remote sender status, no user interaction, and high impact on confidentiality.
Potential Impact
An attacker with admitted remote sender privileges can enumerate and retrieve arbitrary session snapshots from the OpenHarness ohmo gateway. This leads to unauthorized disclosure of sensitive information such as private prompts, credentials, tool outputs, and file paths. The confidentiality impact is high, while integrity and availability impacts are not indicated. This exposure could compromise user privacy and security of the system relying on OpenHarness.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the ohmo gateway commands /resume and /summary to trusted users only, and consider disabling or modifying the remote_invocable setting to prevent unauthorized enumeration and loading of session snapshots.
CVE-2026-56695: Missing Authorization in HKUDS OpenHarness
Description
CVE-2026-56695 is a high-severity vulnerability in HKUDS OpenHarness versions up to 0.1.9. The ohmo gateway's /resume and /summary commands have their remote_invocable setting defaulted to True, which allows authorized remote users to enumerate and load arbitrary session snapshots by ID. This can expose private prompts, credentials, tool outputs, and file paths through shared gateway channels.
CVSS v4.0
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in HKUDS OpenHarness arises because the /resume and /summary slash commands are configured with remote_invocable set to True by default. This misconfiguration permits admitted remote senders to enumerate and load session snapshots arbitrarily by their IDs. Exploiting this flaw enables attackers to access sensitive data contained in victim snapshots, including private prompts, credentials, tool output, and file paths, via shared gateway channels. The CVSS 4.0 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required beyond admitted remote sender status, no user interaction, and high impact on confidentiality.
Potential Impact
An attacker with admitted remote sender privileges can enumerate and retrieve arbitrary session snapshots from the OpenHarness ohmo gateway. This leads to unauthorized disclosure of sensitive information such as private prompts, credentials, tool outputs, and file paths. The confidentiality impact is high, while integrity and availability impacts are not indicated. This exposure could compromise user privacy and security of the system relying on OpenHarness.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the ohmo gateway commands /resume and /summary to trusted users only, and consider disabling or modifying the remote_invocable setting to prevent unauthorized enumeration and loading of session snapshots.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-22T17:09:16.555Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3aafb1eed863c81e44dd8e
Added to database: 06/23/2026, 16:09:21 UTC
Last enriched: 06/23/2026, 16:24:06 UTC
Last updated: 06/23/2026, 21:12:43 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.