CVE-2026-56695

MEDIUM 6.5

OpenHarness - Cross-Session Disclosure via /resume and /summary Commands

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.

CWE	CWE-862
Vendor	hkuds
Product	openharness
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for hkuds openharness

Be the first to know when new medium vulnerabilities affecting hkuds openharness are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

HKUDS / OpenHarness

0 ≤ 0.1.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/HKUDS/OpenHarness/pull/276 github.com: https://github.com/HKUDS/OpenHarness/commit/92e298852c9b9c8c2266236292073623418c640a vulncheck.com: https://www.vulncheck.com/advisories/openharness-cross-session-disclosure-via-resume-and-summary-commands

Credits

Chia Min Jun Lennon