Server-Side Request Forgery in OpenHarness Web Tools
CVE-2026-40516

7.8HIGH

Key Information:

Vendor: Hkuds
Status: Openharness
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-40516?

OpenHarness contains a server-side request forgery vulnerability affecting its web_fetch and web_search functionalities. This flaw enables attackers to manipulate parameters to access private HTTP services, including localhost and cloud metadata endpoints, by invoking these tools against non-public addresses without sufficient validation. As a result, responses from local development services and other sensitive resources can be exposed to unauthorized users, significantly impacting the security of affected systems.

Affected Version(s)

OpenHarness 0

References

https://github.com/HKUDS/OpenHarness/pull/92

issue-tracking

https://github.com/HKUDS/OpenHarness/commit/bd4df81f634f8...

patch

https://www.vulncheck.com/advisories/openharness-ssrf-via...

third-party-advisory

CVSS V4

Score:

7.8

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Chia Min Jun Lennon

CVE-2026-40516 Data

JSON

Hkuds

What is CVE-2026-40516?

Affected Version(s)

References

CVSS V4

Timeline

Credit