Markdown Injection Vulnerability in OpenHarness by HKUDS
CVE-2026-56696

5.3MEDIUM

Key Information:

Vendor

Hkuds

Vendor
CVE Published:
23 June 2026

What is CVE-2026-56696?

A vulnerability in OpenHarness allows attackers to exploit the issue and pr_comments slash commands by bypassing the remote_invocable=False restriction. This permits the injection of malicious Markdown content into critical project context files, including .openharness/issue.md and .openharness/pr_comments.md. Once injected, this malicious content can influence the behavior of local agents during runtime, posing a significant risk to project integrity and security.

Affected Version(s)

OpenHarness 0 <= 0.1.9

OpenHarness 27bb93b810e9ea8fa4832eab7152eeb3b4a6bffb

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.