CVE-2026-6823HIGH 8.2EPSS p25.7%

CVE-2026-6823CVE-2026-6823

Description

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.34% probability of exploitation · percentile 25.7% · 2026-06-19T12:03:05Z
Published2026-04-21
Last modified2026-05-07

Underlying weaknesses· 1

CWE-276

References

  1. https://github.com/HKUDS/OpenHarness/commit/fab40c6eabfb15f2bdf23cddd3cfe66a64ea203d
  2. https://github.com/HKUDS/OpenHarness/pull/147
  3. https://github.com/HKUDS/OpenHarness/releases/tag/v0.1.7
  4. https://www.vulncheck.com/advisories/hkuds-openharness-insecure-default-remote-channel-allowlist
  5. https://github.com/HKUDS/OpenHarness/pull/147

1

TypeTargetConfidenceTier
WeaknessIncorrect Default Permissionscwe-2760%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-6819
CVE
CVE-2026-7551
CVE
CVE-2026-40502
CVE
CVE-2026-32005
CVE
CVE-2026-22172
CVE
CVE-2026-32974
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.