CVE-2026-56695 PUBLISHED

OpenHarness - Cross-Session Disclosure via /resume and /summary Commands

Assigner: VulnCheck
Reserved: 22.06.2026 Published: 23.06.2026 Updated: 23.06.2026

OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor HKUDS
Product OpenHarness
Versions Default: unaffected
  • affected from 0 to 0.1.9 (incl.)
  • Version 92e298852c9b9c8c2266236292073623418c640a is unaffected

Credits

  • Chia Min Jun Lennon finder

References

Problem Types

  • Missing Authorization CWE