CVE-2026-40502: OpenHarness Command Injection Vulnerability

CVE-2026-40502 Overview

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.

Critical Impact
Remote attackers with basic chat access can escalate privileges and modify system permissions without authorization, potentially compromising the entire OpenHarness instance.

Affected Products

OpenHarness versions prior to commit dd1d235
OpenHarness installations with gateway chat functionality enabled
Systems running OpenHarness with default remote command configurations

Discovery Timeline

April 16, 2026 - CVE-2026-40502 published to NVD
April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-40502

Vulnerability Analysis

This vulnerability stems from CWE-862 (Missing Authorization), where the OpenHarness gateway handler fails to properly distinguish between commands that should only be available locally versus those safe for remote execution. The gateway component processes slash commands from remote chat sessions without verifying whether the requesting user has appropriate privileges to execute administrative functions.

The attack surface is network-accessible and requires only low-privilege authentication (basic chat access). The vulnerability enables attackers to bypass the intended authorization model entirely, allowing them to invoke powerful administrative commands like /permissions full_auto that should be restricted to local operators.

Root Cause

The root cause is the absence of an authorization mechanism to differentiate administrative slash commands from regular user commands in the gateway handler. The original implementation treated all incoming commands from remote channels identically, without maintaining an allowlist or requiring explicit operator approval for sensitive operations.

Attack Vector

Exploitation occurs through network-accessible chat interfaces. An attacker with valid chat access credentials can craft malicious slash commands targeting administrative functions. The gateway processes these commands without verifying the source channel's authorization level, enabling unauthorized permission changes and other administrative actions.

The attack flow involves:

Establishing a remote chat session with the OpenHarness gateway
Sending administrative slash commands (e.g., /permissions full_auto)
The gateway executes these commands without proper authorization checks
System permissions or configurations are modified without operator consent

python

# Security patch in ohmo/gateway/models.py - Adding authorization controls
# Source: https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af

    send_tool_hints: bool = True
    permission_mode: str = "default"
    sandbox_enabled: bool = False
+    allow_remote_admin_commands: bool = False
+    allowed_remote_admin_commands: list[str] = Field(default_factory=list)
    log_level: str = "INFO"
    channel_configs: dict[str, dict] = Field(default_factory=dict)

Detection Methods for CVE-2026-40502

Indicators of Compromise

Unexpected permission mode changes in OpenHarness logs (e.g., transitions to full_auto mode)
Administrative slash commands originating from remote gateway channels
Unusual patterns of /permissions, /plan, or other administrative commands in chat logs
Configuration changes occurring without corresponding local operator sessions

Detection Strategies

Monitor gateway logs for administrative slash commands from remote sources
Implement alerting on permission mode changes that lack corresponding local authentication events
Review channel activity logs for anomalous command patterns from untrusted or unexpected sources
Deploy network traffic analysis to identify administrative command injection attempts

Monitoring Recommendations

Enable verbose logging for the OpenHarness gateway handler to capture all incoming commands
Set up alerts for any permission-related configuration changes
Audit remote channel configurations and access patterns regularly
Implement baseline monitoring for normal administrative command usage to detect deviations

How to Mitigate CVE-2026-40502

Immediate Actions Required

Update OpenHarness to commit dd1d235 or later immediately
Review and disable remote administrative commands by setting allow_remote_admin_commands to False
Audit gateway logs for any unauthorized administrative command execution
Restrict gateway chat access to trusted users only until patching is complete

Patch Information

The vulnerability has been addressed in commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. The fix introduces explicit configuration options to control remote administrative command execution:

New allow_remote_admin_commands boolean flag (defaults to False)
New allowed_remote_admin_commands allowlist for granular control
Configuration wizard prompts for secure setup of remote command permissions

For additional details, refer to GitHub Pull Request #127 and the VulnCheck Advisory.

Workarounds

Disable gateway functionality entirely if remote chat access is not required
Implement network-level access controls to restrict gateway endpoints to trusted IP ranges
Use firewall rules to block external access to OpenHarness gateway ports
Deploy application-layer proxy rules to filter administrative slash commands from remote sources

python

# Secure configuration example from the patch
# Source: https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af

    allow_remote_admin_commands = _confirm_prompt(
        "Allow explicitly listed administrative slash commands from remote channels?",
        default=existing.allow_remote_admin_commands,
    )
    default_allowlist = ", ".join(existing.allowed_remote_admin_commands)
    allowed_remote_admin_commands: list[str] = []
    if allow_remote_admin_commands:
        allowlist_raw = _text_prompt(
            "Allowed remote admin commands (comma-separated, e.g. permissions, plan)",
            default=default_allowlist,
        )
        allowed_remote_admin_commands = [
            item.strip().lstrip("/")
            for item in allowlist_raw.split(",")
            if item.strip()
        ]

CVE-2026-40502 Overview

Critical Impact
Remote attackers with basic chat access can escalate privileges and modify system permissions without authorization, potentially compromising the entire OpenHarness instance.

Affected Products

OpenHarness versions prior to commit dd1d235
OpenHarness installations with gateway chat functionality enabled
Systems running OpenHarness with default remote command configurations

Discovery Timeline

April 16, 2026 - CVE-2026-40502 published to NVD
April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-40502

Vulnerability Analysis

Root Cause

Attack Vector

The attack flow involves:

Establishing a remote chat session with the OpenHarness gateway
Sending administrative slash commands (e.g., /permissions full_auto)
The gateway executes these commands without proper authorization checks
System permissions or configurations are modified without operator consent

python

# Security patch in ohmo/gateway/models.py - Adding authorization controls
# Source: https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af

    send_tool_hints: bool = True
    permission_mode: str = "default"
    sandbox_enabled: bool = False
+    allow_remote_admin_commands: bool = False
+    allowed_remote_admin_commands: list[str] = Field(default_factory=list)
    log_level: str = "INFO"
    channel_configs: dict[str, dict] = Field(default_factory=dict)

Detection Methods for CVE-2026-40502

Indicators of Compromise

Unexpected permission mode changes in OpenHarness logs (e.g., transitions to full_auto mode)
Administrative slash commands originating from remote gateway channels
Unusual patterns of /permissions, /plan, or other administrative commands in chat logs
Configuration changes occurring without corresponding local operator sessions

Detection Strategies

Monitor gateway logs for administrative slash commands from remote sources
Implement alerting on permission mode changes that lack corresponding local authentication events
Review channel activity logs for anomalous command patterns from untrusted or unexpected sources
Deploy network traffic analysis to identify administrative command injection attempts

Monitoring Recommendations

Enable verbose logging for the OpenHarness gateway handler to capture all incoming commands
Set up alerts for any permission-related configuration changes
Audit remote channel configurations and access patterns regularly
Implement baseline monitoring for normal administrative command usage to detect deviations

How to Mitigate CVE-2026-40502

Immediate Actions Required

Update OpenHarness to commit dd1d235 or later immediately
Review and disable remote administrative commands by setting allow_remote_admin_commands to False
Audit gateway logs for any unauthorized administrative command execution
Restrict gateway chat access to trusted users only until patching is complete

Patch Information

The vulnerability has been addressed in commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. The fix introduces explicit configuration options to control remote administrative command execution:

New allow_remote_admin_commands boolean flag (defaults to False)
New allowed_remote_admin_commands allowlist for granular control
Configuration wizard prompts for secure setup of remote command permissions

For additional details, refer to GitHub Pull Request #127 and the VulnCheck Advisory.

Workarounds

Disable gateway functionality entirely if remote chat access is not required
Implement network-level access controls to restrict gateway endpoints to trusted IP ranges
Use firewall rules to block external access to OpenHarness gateway ports
Deploy application-layer proxy rules to filter administrative slash commands from remote sources

python

# Secure configuration example from the patch
# Source: https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af

    allow_remote_admin_commands = _confirm_prompt(
        "Allow explicitly listed administrative slash commands from remote channels?",
        default=existing.allow_remote_admin_commands,
    )
    default_allowlist = ", ".join(existing.allowed_remote_admin_commands)
    allowed_remote_admin_commands: list[str] = []
    if allow_remote_admin_commands:
        allowlist_raw = _text_prompt(
            "Allowed remote admin commands (comma-separated, e.g. permissions, plan)",
            default=default_allowlist,
        )
        allowed_remote_admin_commands = [
            item.strip().lstrip("/")
            for item in allowlist_raw.split(",")
            if item.strip()
        ]

CVE-2026-40502: OpenHarness Command Injection Vulnerability

CVE-2026-40502 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40502

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40502

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40502

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-40502: OpenHarness Command Injection Vulnerability

CVE-2026-40502 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40502

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40502

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40502

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform