Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56696

CVE-2026-56696: OpenHarness RCE Vulnerability

CVE-2026-56696 is a remote code execution flaw in OpenHarness that allows attackers to inject malicious Markdown into project files, persistently compromising agent behavior. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-56696 Overview

CVE-2026-56696 affects OpenHarness, where the /issue and /pr_comments slash commands lack the remote_invocable=False protection flag. Admitted remote channel senders can invoke these commands to write attacker-controlled Markdown into the .openharness/issue.md and .openharness/pr_comments.md project context files. These files are subsequently injected into the runtime system prompts of local agents. The result is a persistent prompt injection that influences agent behavior across sessions. The flaw maps to [CWE-862: Missing Authorization].

Critical Impact

Remote attackers with channel access can persistently poison local AI agent system prompts by writing malicious Markdown into project context files.

Affected Products

  • OpenHarness (HKUDS/OpenHarness) prior to the patch in commit 27bb93b
  • Deployments exposing /issue slash command to remote channel senders
  • Deployments exposing /pr_comments slash command to remote channel senders

Discovery Timeline

  • 2026-06-23 - CVE-2026-56696 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-56696

Vulnerability Analysis

OpenHarness exposes slash commands through a registry that controls whether each command can be invoked remotely. The /issue and /pr_comments handlers update project context files used to build agent system prompts. Because these two commands were registered without the remote_invocable=False flag, any admitted remote sender could invoke them. An attacker writes arbitrary Markdown into .openharness/issue.md or .openharness/pr_comments.md. The local agent then loads this content into its runtime system prompt, executing instructions chosen by the attacker. The injection persists across sessions because the content lives on disk in the project workspace.

Root Cause

The SlashCommand registrations for issue and pr_comments in src/openharness/commands/registry.py omitted the remote_invocable=False and remote_admin_opt_in=True arguments applied to other sensitive commands. This missing authorization control allowed remote invocation of handlers that should be restricted to local or administrative use.

Attack Vector

An admitted remote channel sender issues /issue or /pr_comments with attacker-controlled Markdown payloads. The handler writes the payload into the project context file. On the next agent run, the poisoned Markdown is concatenated into the system prompt, altering tool selection, exfiltrating data, or steering generated code.

python
# Patch in src/openharness/commands/registry.py
# Before (vulnerable):
registry.register(SlashCommand("issue", "Show or update project issue context", _issue_handler))
registry.register(SlashCommand("pr_comments", "Show or update project PR comments context", _pr_comments_handler))

# After (patched):
registry.register(
    SlashCommand(
        "issue",
        "Show or update project issue context",
        _issue_handler,
        remote_invocable=False,
        remote_admin_opt_in=True,
    )
)
registry.register(
    SlashCommand(
        "pr_comments",
        "Show or update project PR comments context",
        _pr_comments_handler,
        remote_invocable=False,
        remote_admin_opt_in=True,
    )
)

Source: GitHub Commit 27bb93b

Detection Methods for CVE-2026-56696

Indicators of Compromise

  • Unexpected modifications to .openharness/issue.md or .openharness/pr_comments.md within project workspaces.
  • Markdown content in these files containing imperative instructions, hidden HTML comments, or references to external URLs not authored by project maintainers.
  • Remote slash command invocations of /issue or /pr_comments from non-admin channel senders in OpenHarness logs.

Detection Strategies

  • Monitor file integrity of all .openharness/*.md context files and alert on writes that do not originate from local users.
  • Audit OpenHarness command logs for remote invocations of /issue and /pr_comments prior to the patch in commit 27bb93b.
  • Inspect generated agent system prompts for anomalous instructions, role overrides, or tool-use directives.

Monitoring Recommendations

  • Forward OpenHarness command and channel logs to a central log store and alert on slash command invocations from remote, non-admin identities.
  • Track diffs of project context files in version control and require review for changes touching issue.md or pr_comments.md.
  • Correlate agent prompt content with recent slash command activity to identify prompt poisoning.

How to Mitigate CVE-2026-56696

Immediate Actions Required

  • Update OpenHarness to a release that includes commit 27bb93b or later, which adds remote_invocable=False and remote_admin_opt_in=True to both handlers.
  • Audit .openharness/issue.md and .openharness/pr_comments.md in every project and revert any unauthorized content.
  • Restrict channel admission so that only trusted identities can send slash commands to OpenHarness instances.

Patch Information

The fix is delivered in pull request #272 and merged via commit 27bb93b. The patch marks both commands as not remotely invocable and requires explicit administrative opt-in for remote execution. Refer to the VulnCheck advisory for additional context.

Workarounds

  • Disable or unregister the /issue and /pr_comments slash commands until the patched version can be deployed.
  • Block remote channel senders from reaching the OpenHarness command interface using network or application-layer access controls.
  • Make .openharness/issue.md and .openharness/pr_comments.md read-only for the OpenHarness process where operationally feasible.
bash
# Pin OpenHarness to a patched commit
git -C /opt/openharness fetch origin
git -C /opt/openharness checkout 27bb93b810e9ea8fa4832eab7152eeb3b4a6bffb

# Audit project context files for tampering
find . -type f \( -name 'issue.md' -o -name 'pr_comments.md' \) -path '*/.openharness/*' -print -exec cat {} \;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.