CVE-2026-6729
Received Received - Intake
Session Key Derivation Flaw in HKUDS OpenHarness Enables Session Hijacking

Publication date: 2026-04-20

Last updated on: 2026-04-24

Assigner: VulnCheck

Description
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6729
EUVD
EUVD-2026-23983
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hkuds openharness to 0.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in HKUDS OpenHarness versions prior to the remediation in PR #159. It involves a session key derivation flaw that allows authenticated participants in shared chats or threads to hijack other users' sessions. The issue arises because the shared ohmo session key does not verify the sender's identity, enabling attackers to reuse another user's conversation state. This lets them replace or interrupt the victim's active tasks by colliding into the same session boundary within the shared chat or thread.

Impact Analysis

The vulnerability can lead to session hijacking within shared chat or thread environments. An attacker who is an authenticated participant can take over another user's session, potentially replacing or interrupting their active tasks. This can result in unauthorized actions being performed in the victim's name, loss of data integrity, and disruption of normal communication or workflow.

Mitigation Strategies

To mitigate CVE-2026-6729, you should apply the patch introduced in PR #159 for HKUDS OpenHarness. This patch updates the session key generation to include the sender ID, ensuring session isolation per sender within shared chats or threads.

  • Update the OpenHarness ohmo gateway to the fixed version containing the session key derivation fix.
  • Ensure that the session key generation function includes sender identity along with chat and thread identifiers.
  • Verify that runtime session restoration and message routing respect sender-scoped session keys to prevent cross-user session reuse.
  • Run regression tests similar to those added in the patch to confirm that session isolation is enforced.
Compliance Impact

The vulnerability allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared session key that lacks sender identity verification. This leads to unauthorized access to conversation states and interference with active tasks, effectively causing session state leakage and privilege escalation.

Such unauthorized access and session hijacking can result in exposure of potentially sensitive or personal data, which may violate data protection requirements under standards like GDPR and HIPAA that mandate strict controls on user data confidentiality and integrity.

By enabling cross-user session reuse and task interruption without elevated privileges, the vulnerability undermines the principle of user session isolation and data confidentiality, which are critical for compliance with these regulations.

The fix introduced sender identity into session key derivation to isolate sessions per user, thereby mitigating risks of unauthorized data access and helping maintain compliance with data protection standards.

Detection Guidance

This vulnerability arises from session key collisions due to missing sender identity in session key derivation within shared chats or threads in HKUDS OpenHarness. Detection involves verifying whether session keys include sender IDs to ensure session isolation per user.

To detect the vulnerability on your system, you can check the session key generation logic in the ohmo gateway component, specifically in the function responsible for session key derivation (e.g., `session_key_for_message`). If the session keys do not incorporate the sender ID along with chat and thread identifiers, your system is vulnerable.

Since this is a software logic issue, detection commands would involve inspecting the source code or runtime logs for session keys. For example, you can search for session key patterns in logs or debug output to see if sender IDs are included.

  • Use grep or similar tools to search logs for session keys missing sender IDs, e.g.: `grep -E 'session_key=.*:[^:]+$' /path/to/logs` (looking for keys with only channel and chat_id but no sender_id).
  • Review the source code for the session key generation function to confirm if sender ID is included, e.g.: `grep -A 10 'def session_key_for_message' ohmo/gateway/router.py`.
  • Run regression or unit tests similar to those added in the patch (e.g., `pytest tests/test_ohmo/test_gateway.py`) to verify session key behavior includes sender identity.

No specific network scanning or automated detection commands are provided in the available resources, as the vulnerability is primarily a session key derivation logic flaw within the application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6729. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart