{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22682", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-08T19:04:26.365Z", "datePublished": "2026-04-07T17:09:01.033Z", "dateUpdated": "2026-04-07T17:09:01.033Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T17:09:01.033Z"}, "title": "OpenHarness Improper Access Control via File Tools", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "HKUDS", "product": "OpenHarness", "repo": "https://github.com/HKUDS/OpenHarness", "versions": [{"status": "affected", "version": "0", "lessThan": "166fcfefb7614dbac51bd061f56542725b0298e9", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OpenHarness prior to commit 166fcfe\u00a0contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OpenHarness prior to commit 166fcfe&nbsp;contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode.<br>"}]}], "references": [{"url": "https://github.com/HKUDS/OpenHarness/pull/32", "tags": ["issue-tracking"]}, {"url": "https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "credits": [{"lang": "en", "value": "Chia Min Jun Lennon", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenHarness prior to commit 166fcfe\u00a0contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode."}], "id": "CVE-2026-22682", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:39.033", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/HKUDS/OpenHarness/pull/32"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,166fcfefb7614dbac51bd061f56542725b0298e9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OpenHarness", "source": "cna", "vendor": "HKUDS"}, "product": "openharness", "vendor": "hkuds"}], "analysis": {"en": {"generated_at": "2026-04-07T21:23:25.977580+00:00", "value": {"mitigation_remediation": ["Upgrade to a version containing commit 166fcfe or later to fix the permission enforcement bug. If immediate upgrade is not possible, restrict which users or services can invoke the file tools, ensuring only trusted accounts have that capability. Disable full_auto mode if it is not required for your workflow. Monitor file access logs for unexpected reads or writes outside the repository. Verify your OpenHarness deployment is not exposed to untrusted networks or users."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized file access including reading sensitive data and creating/overwriting restricted files"}, "threat_synthesis": {"affected_systems": "OpenHarness versions prior to commit 166fcfe are affected. The vulnerability applies to any installation of the HKUDS:OpenHarness product where the file tools are available and unpatched.", "description_and_impact": "The bug allows an attacker who can influence the execution of built\u2011in file tools to read or write files outside the intended repository, because the path argument is omitted from the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools. This can expose configuration files, credentials, SSH private keys, or allow the attacker to create or overwrite files in privileged host locations, especially when the full_auto mode is enabled. The consequence is loss of confidentiality and integrity, and potentially the ability to modify system state or elevate privileges.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.4, indicating high severity. EPSS information is not available, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to influence the agent tool execution, which typically means having authenticated control over the harness or exploiting a misconfiguration that exposes the tools to untrusted input. The potential impact is significant, especially if the harness is reachable from untrusted networks, leading to data exposure and potential system compromise."}}}}, "created": "2026-04-08T19:36:28.219243+00:00", "updated": "2026-04-08T19:47:26.814636+00:00", "vendors": ["hkuds", "hkuds$PRODUCT$openharness"]}