CVE-2026-56696 Overview
CVE-2026-56696 affects OpenHarness, where the /issue and /pr_comments slash commands lack the remote_invocable=False protection flag. Admitted remote channel senders can invoke these commands to write attacker-controlled Markdown into the .openharness/issue.md and .openharness/pr_comments.md project context files. These files are subsequently injected into the runtime system prompts of local agents. The result is a persistent prompt injection that influences agent behavior across sessions. The flaw maps to [CWE-862: Missing Authorization].
Critical Impact
Remote attackers with channel access can persistently poison local AI agent system prompts by writing malicious Markdown into project context files.
Affected Products
- OpenHarness (HKUDS/OpenHarness) prior to the patch in commit 27bb93b
- Deployments exposing /issue slash command to remote channel senders
- Deployments exposing /pr_comments slash command to remote channel senders
Discovery Timeline
- 2026-06-23 - CVE-2026-56696 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-56696
Vulnerability Analysis
OpenHarness exposes slash commands through a registry that controls whether each command can be invoked remotely. The /issue and /pr_comments handlers update project context files used to build agent system prompts. Because these two commands were registered without the remote_invocable=False flag, any admitted remote sender could invoke them. An attacker writes arbitrary Markdown into .openharness/issue.md or .openharness/pr_comments.md. The local agent then loads this content into its runtime system prompt, executing instructions chosen by the attacker. The injection persists across sessions because the content lives on disk in the project workspace.
Root Cause
The SlashCommand registrations for issue and pr_comments in src/openharness/commands/registry.py omitted the remote_invocable=False and remote_admin_opt_in=True arguments applied to other sensitive commands. This missing authorization control allowed remote invocation of handlers that should be restricted to local or administrative use.
Attack Vector
An admitted remote channel sender issues /issue or /pr_comments with attacker-controlled Markdown payloads. The handler writes the payload into the project context file. On the next agent run, the poisoned Markdown is concatenated into the system prompt, altering tool selection, exfiltrating data, or steering generated code.
# Patch in src/openharness/commands/registry.py
# Before (vulnerable):
registry.register(SlashCommand("issue", "Show or update project issue context", _issue_handler))
registry.register(SlashCommand("pr_comments", "Show or update project PR comments context", _pr_comments_handler))
# After (patched):
registry.register(
SlashCommand(
"issue",
"Show or update project issue context",
_issue_handler,
remote_invocable=False,
remote_admin_opt_in=True,
)
)
registry.register(
SlashCommand(
"pr_comments",
"Show or update project PR comments context",
_pr_comments_handler,
remote_invocable=False,
remote_admin_opt_in=True,
)
)
Source: GitHub Commit 27bb93b
Detection Methods for CVE-2026-56696
Indicators of Compromise
- Unexpected modifications to .openharness/issue.md or .openharness/pr_comments.md within project workspaces.
- Markdown content in these files containing imperative instructions, hidden HTML comments, or references to external URLs not authored by project maintainers.
- Remote slash command invocations of /issue or /pr_comments from non-admin channel senders in OpenHarness logs.
Detection Strategies
- Monitor file integrity of all .openharness/*.md context files and alert on writes that do not originate from local users.
- Audit OpenHarness command logs for remote invocations of /issue and /pr_comments prior to the patch in commit 27bb93b.
- Inspect generated agent system prompts for anomalous instructions, role overrides, or tool-use directives.
Monitoring Recommendations
- Forward OpenHarness command and channel logs to a central log store and alert on slash command invocations from remote, non-admin identities.
- Track diffs of project context files in version control and require review for changes touching issue.md or pr_comments.md.
- Correlate agent prompt content with recent slash command activity to identify prompt poisoning.
How to Mitigate CVE-2026-56696
Immediate Actions Required
- Update OpenHarness to a release that includes commit 27bb93b or later, which adds remote_invocable=False and remote_admin_opt_in=True to both handlers.
- Audit .openharness/issue.md and .openharness/pr_comments.md in every project and revert any unauthorized content.
- Restrict channel admission so that only trusted identities can send slash commands to OpenHarness instances.
Patch Information
The fix is delivered in pull request #272 and merged via commit 27bb93b. The patch marks both commands as not remotely invocable and requires explicit administrative opt-in for remote execution. Refer to the VulnCheck advisory for additional context.
Workarounds
- Disable or unregister the /issue and /pr_comments slash commands until the patched version can be deployed.
- Block remote channel senders from reaching the OpenHarness command interface using network or application-layer access controls.
- Make .openharness/issue.md and .openharness/pr_comments.md read-only for the OpenHarness process where operationally feasible.
# Pin OpenHarness to a patched commit
git -C /opt/openharness fetch origin
git -C /opt/openharness checkout 27bb93b810e9ea8fa4832eab7152eeb3b4a6bffb
# Audit project context files for tampering
find . -type f \( -name 'issue.md' -o -name 'pr_comments.md' \) -path '*/.openharness/*' -print -exec cat {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

