HIGHCVE-2026-40515Published Modified CNA VulnCheck
CVE-2026-40515: OpenHarness Permission Bypass via grep and glob root argument
OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are not properly evaluated against configured path rules, allowing disclosure of sensitive local file content, key material, configuration files, or directory contents despite configured path restrictions.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae
- Affected Products
- 1
Affected packages
- HKUDS / OpenHarness< bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences