Insecure Default Configuration Vulnerability in HKUDS OpenHarness
CVE-2026-6823

8.3HIGH

Key Information:

Vendor: Hkuds
Status: Openharness
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-6823?

The OpenHarness platform developed by HKUDS is affected by an insecure default configuration that can expose sensitive information. Prior to the application of remediation in PR #147, the system allows remote channels to inherit an overly permissive allowlist ('allow_from = ["*"]'), which can potentially allow unauthorized users to bypass access checks. If an attacker gains access to the configured channel, they may exploit this vulnerability to reach host-backed agent runtimes, enabling unauthorized file disclosures and unauthorized read access through default-enabled read-only tools.

Affected Version(s)

OpenHarness 0

References

https://github.com/HKUDS/OpenHarness/pull/147

patch

https://github.com/HKUDS/OpenHarness/commit/fab40c6eabfb1...

patch

https://github.com/HKUDS/OpenHarness/releases/tag/v0.1.7

third-party-advisory

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Chia Min Jun Lennon

CVE-2026-6823 Data

JSON