CVE-2026-6729
Session Key Derivation Flaw in HKUDS OpenHarness Enables Session Hijacking
Publication date: 2026-04-20
Last updated on: 2026-04-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hkuds | openharness | to 0.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in HKUDS OpenHarness versions prior to the remediation in PR #159. It involves a session key derivation flaw that allows authenticated participants in shared chats or threads to hijack other users' sessions. The issue arises because the shared ohmo session key does not verify the sender's identity, enabling attackers to reuse another user's conversation state. This lets them replace or interrupt the victim's active tasks by colliding into the same session boundary within the shared chat or thread.
How can this vulnerability impact me? :
The vulnerability can lead to session hijacking within shared chat or thread environments. An attacker who is an authenticated participant can take over another user's session, potentially replacing or interrupting their active tasks. This can result in unauthorized actions being performed in the victim's name, loss of data integrity, and disruption of normal communication or workflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from session key collisions due to missing sender identity in session key derivation within shared chats or threads in HKUDS OpenHarness. Detection involves verifying whether session keys include sender IDs to ensure session isolation per user.
To detect the vulnerability on your system, you can check the session key generation logic in the ohmo gateway component, specifically in the function responsible for session key derivation (e.g., `session_key_for_message`). If the session keys do not incorporate the sender ID along with chat and thread identifiers, your system is vulnerable.
Since this is a software logic issue, detection commands would involve inspecting the source code or runtime logs for session keys. For example, you can search for session key patterns in logs or debug output to see if sender IDs are included.
- Use grep or similar tools to search logs for session keys missing sender IDs, e.g.: `grep -E 'session_key=.*:[^:]+$' /path/to/logs` (looking for keys with only channel and chat_id but no sender_id).
- Review the source code for the session key generation function to confirm if sender ID is included, e.g.: `grep -A 10 'def session_key_for_message' ohmo/gateway/router.py`.
- Run regression or unit tests similar to those added in the patch (e.g., `pytest tests/test_ohmo/test_gateway.py`) to verify session key behavior includes sender identity.
No specific network scanning or automated detection commands are provided in the available resources, as the vulnerability is primarily a session key derivation logic flaw within the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-6729, you should apply the patch introduced in PR #159 for HKUDS OpenHarness. This patch updates the session key generation to include the sender ID, ensuring session isolation per sender within shared chats or threads.
- Update the OpenHarness ohmo gateway to the fixed version containing the session key derivation fix.
- Ensure that the session key generation function includes sender identity along with chat and thread identifiers.
- Verify that runtime session restoration and message routing respect sender-scoped session keys to prevent cross-user session reuse.
- Run regression tests similar to those added in the patch to confirm that session isolation is enforced.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared session key that lacks sender identity verification. This leads to unauthorized access to conversation states and interference with active tasks, effectively causing session state leakage and privilege escalation.
Such unauthorized access and session hijacking can result in exposure of potentially sensitive or personal data, which may violate data protection requirements under standards like GDPR and HIPAA that mandate strict controls on user data confidentiality and integrity.
By enabling cross-user session reuse and task interruption without elevated privileges, the vulnerability undermines the principle of user session isolation and data confidentiality, which are critical for compliance with these regulations.
The fix introduced sender identity into session key derivation to isolate sessions per user, thereby mitigating risks of unauthorized data access and helping maintain compliance with data protection standards.