Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40502

CVE-2026-40502: OpenHarness Command Injection Vulnerability

CVE-2026-40502 is a command injection flaw in OpenHarness that allows remote users to execute administrative commands without authorization. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-40502 Overview

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.

Critical Impact

Remote attackers with basic chat access can escalate privileges and modify system permissions without authorization, potentially compromising the entire OpenHarness instance.

Affected Products

  • OpenHarness versions prior to commit dd1d235
  • OpenHarness installations with gateway chat functionality enabled
  • Systems running OpenHarness with default remote command configurations

Discovery Timeline

  • April 16, 2026 - CVE-2026-40502 published to NVD
  • April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-40502

Vulnerability Analysis

This vulnerability stems from CWE-862 (Missing Authorization), where the OpenHarness gateway handler fails to properly distinguish between commands that should only be available locally versus those safe for remote execution. The gateway component processes slash commands from remote chat sessions without verifying whether the requesting user has appropriate privileges to execute administrative functions.

The attack surface is network-accessible and requires only low-privilege authentication (basic chat access). The vulnerability enables attackers to bypass the intended authorization model entirely, allowing them to invoke powerful administrative commands like /permissions full_auto that should be restricted to local operators.

Root Cause

The root cause is the absence of an authorization mechanism to differentiate administrative slash commands from regular user commands in the gateway handler. The original implementation treated all incoming commands from remote channels identically, without maintaining an allowlist or requiring explicit operator approval for sensitive operations.

Attack Vector

Exploitation occurs through network-accessible chat interfaces. An attacker with valid chat access credentials can craft malicious slash commands targeting administrative functions. The gateway processes these commands without verifying the source channel's authorization level, enabling unauthorized permission changes and other administrative actions.

The attack flow involves:

  1. Establishing a remote chat session with the OpenHarness gateway
  2. Sending administrative slash commands (e.g., /permissions full_auto)
  3. The gateway executes these commands without proper authorization checks
  4. System permissions or configurations are modified without operator consent
python
# Security patch in ohmo/gateway/models.py - Adding authorization controls
# Source: https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af

    send_tool_hints: bool = True
    permission_mode: str = "default"
    sandbox_enabled: bool = False
+    allow_remote_admin_commands: bool = False
+    allowed_remote_admin_commands: list[str] = Field(default_factory=list)
    log_level: str = "INFO"
    channel_configs: dict[str, dict] = Field(default_factory=dict)

Detection Methods for CVE-2026-40502

Indicators of Compromise

  • Unexpected permission mode changes in OpenHarness logs (e.g., transitions to full_auto mode)
  • Administrative slash commands originating from remote gateway channels
  • Unusual patterns of /permissions, /plan, or other administrative commands in chat logs
  • Configuration changes occurring without corresponding local operator sessions

Detection Strategies

  • Monitor gateway logs for administrative slash commands from remote sources
  • Implement alerting on permission mode changes that lack corresponding local authentication events
  • Review channel activity logs for anomalous command patterns from untrusted or unexpected sources
  • Deploy network traffic analysis to identify administrative command injection attempts

Monitoring Recommendations

  • Enable verbose logging for the OpenHarness gateway handler to capture all incoming commands
  • Set up alerts for any permission-related configuration changes
  • Audit remote channel configurations and access patterns regularly
  • Implement baseline monitoring for normal administrative command usage to detect deviations

How to Mitigate CVE-2026-40502

Immediate Actions Required

  • Update OpenHarness to commit dd1d235 or later immediately
  • Review and disable remote administrative commands by setting allow_remote_admin_commands to False
  • Audit gateway logs for any unauthorized administrative command execution
  • Restrict gateway chat access to trusted users only until patching is complete

Patch Information

The vulnerability has been addressed in commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. The fix introduces explicit configuration options to control remote administrative command execution:

  • New allow_remote_admin_commands boolean flag (defaults to False)
  • New allowed_remote_admin_commands allowlist for granular control
  • Configuration wizard prompts for secure setup of remote command permissions

For additional details, refer to GitHub Pull Request #127 and the VulnCheck Advisory.

Workarounds

  • Disable gateway functionality entirely if remote chat access is not required
  • Implement network-level access controls to restrict gateway endpoints to trusted IP ranges
  • Use firewall rules to block external access to OpenHarness gateway ports
  • Deploy application-layer proxy rules to filter administrative slash commands from remote sources
python
# Secure configuration example from the patch
# Source: https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af

    allow_remote_admin_commands = _confirm_prompt(
        "Allow explicitly listed administrative slash commands from remote channels?",
        default=existing.allow_remote_admin_commands,
    )
    default_allowlist = ", ".join(existing.allowed_remote_admin_commands)
    allowed_remote_admin_commands: list[str] = []
    if allow_remote_admin_commands:
        allowlist_raw = _text_prompt(
            "Allowed remote admin commands (comma-separated, e.g. permissions, plan)",
            default=default_allowlist,
        )
        allowed_remote_admin_commands = [
            item.strip().lstrip("/")
            for item in allowlist_raw.split(",")
            if item.strip()
        ]

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.