OpenHarness – Cross-Session Disclosure via /resume and /summary Commands

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.

Basic Information

ID CVE-2026-56695

Source VulnCheck

Published Jun 23, 2026 at 15:36

Affected Product

Vendor HKUDS

Product OpenHarness

Affected Versions HKUDS OpenHarness 0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.",
    "published": "2026-06-23T15:36:01.873Z",
    "modified": "2026-06-23T15:36:01.873Z",
    "type": "cve",
    "title": "OpenHarness - Cross-Session Disclosure via /resume and /summary Commands",
    "source": "VulnCheck",
    "references": "https://github.com/HKUDS/OpenHarness/pull/276\nhttps://github.com/HKUDS/OpenHarness/commit/92e298852c9b9c8c2266236292073623418c640a\nhttps://www.vulncheck.com/advisories/openharness-cross-session-disclosure-via-resume-and-summary-commands",
    "id": "CVE-2026-56695",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "HKUDS OpenHarness 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenHarness",
    "version": "0",
    "vendor": "HKUDS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenHarness – Cross-Session Disclosure via /resume and /summary Commands_CVE-2026-56695