CVE-2026-6823
Insecure Default Configuration in HKUDS OpenHarness Allows Unauthorized Access
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hkuds | openharness | to PR_147 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in HKUDS OpenHarness versions prior to the remediation in PR #147. It involves an insecure default configuration where remote channels inherit a setting allow_from = ["*"], which means any remote sender is permitted to pass admission checks.
As a result, attackers who can reach these configured channels can bypass access controls and gain access to host-backed agent runtimes.
This unauthorized access can potentially lead to unauthorized file disclosure and read access through default-enabled read-only tools.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to bypass access controls and access host-backed agent runtimes without authorization.
This can lead to unauthorized disclosure of files and read access to sensitive information via default-enabled read-only tools.
Given the CVSS v3.1 base score of 8.2, the impact is considered high in terms of confidentiality, with potential limited impact on integrity and no impact on availability.