CVE-2026-40503
Path Traversal in OpenHarness /memory Command Allows File Access
Publication date: 2026-04-16
Last updated on: 2026-04-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hkuds | openharness | to 2026-04-13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote users to read arbitrary files on the host system by exploiting a path traversal flaw in the /memory show command. This unauthorized access to sensitive files could lead to exposure of personal or confidential data.
Such unauthorized data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information and mandate protection against unauthorized disclosure.
The fix introduces strict containment checks, an explicit opt-in mechanism for remote administrative commands, and audit logging to prevent unauthorized access and improve operational awareness, thereby helping to mitigate compliance risks.
Can you explain this vulnerability to me?
CVE-2026-40503 is a path traversal vulnerability in OpenHarness versions prior to commit dd1d235. It allows remote gateway users who have chat access to exploit the `/memory show` slash command by supplying specially crafted path traversal sequences. This enables attackers to escape the intended project memory directory and read arbitrary files accessible to the OpenHarness process. The vulnerability exists because the command does not validate or contain filesystem paths properly, allowing unauthorized file access outside the designated directory.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure of sensitive files on the host system. Remote attackers can read arbitrary files that the OpenHarness process has access to, potentially exposing confidential information. Additionally, related issues in the same context allow remote users to escalate privileges by invoking local-only administrative commands remotely, which can disable critical safety controls and lead to further unauthorized operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring attempts to invoke the /memory show slash command with path traversal sequences that try to escape the project memory directory.
Since the fix includes logging of remote administrative command invocations with details such as channel, chat ID, sender ID, and command name, reviewing these logs for suspicious /memory show commands with unusual path parameters can help detect exploitation attempts.
There is no explicit command provided in the resources for detection, but you can check gateway logs for entries related to remote invocations of the /memory show command and look for error messages indicating denied path traversal attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OpenHarness to the version including commit dd1d235 or later, which contains the fix for CVE-2026-40503.
The fix introduces an explicit opt-in mechanism for remote administrative slash commands, which by default disables remote invocation of sensitive commands like /memory show.
- Set the configuration option `allow_remote_admin_commands` to `False` (default) to prevent remote administrative commands.
- If remote admin commands are necessary, explicitly specify allowed commands in `allowed_remote_admin_commands` to restrict which commands can be invoked remotely.
Ensure that the gateway configuration wizard is used to confirm these settings and that warnings about enabled remote admin commands are reviewed.
Monitor logs for any unauthorized remote command invocation attempts and verify that the /memory show command rejects path traversal attempts.