Session Key Derivation Vulnerability in HKUDS OpenHarness
CVE-2026-6729

5.3MEDIUM

Key Information:

Vendor: Hkuds
Status: Openharness
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-6729?

The OpenHarness product from HKUDS is affected by a session key derivation flaw that enables authenticated users to hijack sessions in shared chats or threads. The weakness stems from a shared session key, 'ohmo', that lacks proper sender identity verification. This vulnerability allows attackers to invade another user's conversation by reusing their session state, effectively colliding into the same session boundary within the shared environment. Users may face interruptions in their activities or have their tasks hijacked by malicious participants leveraging this session key flaw.

Affected Version(s)

OpenHarness 0

References

https://github.com/HKUDS/OpenHarness/pull/159

patch

https://github.com/HKUDS/OpenHarness/commit/3186851c479ee...

patch

https://www.vulncheck.com/advisories/hkuds-openharness-se...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Chia Min Jun Lennon

CVE-2026-6729 Data

JSON