Compliance Impact

The vulnerability allows remote users to read arbitrary files on the host system by exploiting a path traversal flaw in the /memory show command. This unauthorized access to sensitive files could lead to exposure of personal or confidential data.

Such unauthorized data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information and mandate protection against unauthorized disclosure.

The fix introduces strict containment checks, an explicit opt-in mechanism for remote administrative commands, and audit logging to prevent unauthorized access and improve operational awareness, thereby helping to mitigate compliance risks.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40503 is a path traversal vulnerability in OpenHarness versions prior to commit dd1d235. It allows remote gateway users who have chat access to exploit the `/memory show` slash command by supplying specially crafted path traversal sequences. This enables attackers to escape the intended project memory directory and read arbitrary files accessible to the OpenHarness process. The vulnerability exists because the command does not validate or contain filesystem paths properly, allowing unauthorized file access outside the designated directory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive files on the host system. Remote attackers can read arbitrary files that the OpenHarness process has access to, potentially exposing confidential information. Additionally, related issues in the same context allow remote users to escalate privileges by invoking local-only administrative commands remotely, which can disable critical safety controls and lead to further unauthorized operations.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring attempts to invoke the /memory show slash command with path traversal sequences that try to escape the project memory directory.

Since the fix includes logging of remote administrative command invocations with details such as channel, chat ID, sender ID, and command name, reviewing these logs for suspicious /memory show commands with unusual path parameters can help detect exploitation attempts.

There is no explicit command provided in the resources for detection, but you can check gateway logs for entries related to remote invocations of the /memory show command and look for error messages indicating denied path traversal attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading OpenHarness to the version including commit dd1d235 or later, which contains the fix for CVE-2026-40503.

The fix introduces an explicit opt-in mechanism for remote administrative slash commands, which by default disables remote invocation of sensitive commands like /memory show.

• Set the configuration option `allow_remote_admin_commands` to `False` (default) to prevent remote administrative commands.
• If remote admin commands are necessary, explicitly specify allowed commands in `allowed_remote_admin_commands` to restrict which commands can be invoked remotely.

Ensure that the gateway configuration wizard is used to confirm these settings and that warnings about enabled remote admin commands are reviewed.

Monitor logs for any unauthorized remote command invocation attempts and verify that the /memory show command rejects path traversal attempts.

Useful 0 Not Useful 0