HIGHCVE-2026-6823Published Modified CNA VulnCheck
CVE-2026-6823: HKUDS OpenHarness Insecure Default Remote Channel Allowlist
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.
Metrics
- CVSS v4.0
- 8.3
- Severity
- HIGH
- Fixed in
- PR #147
- Affected Products
- 1
Affected packages
- HKUDS / OpenHarness< PR #147 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N