CVE-2026-56695

EUVD-2026-38467
OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
VulnCheckCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
hkudsopenharness
𝑥
≤ 0.1.9
CNA
Common Weakness Enumeration
References
https://github.com/HKUDS/OpenHarness/commit/92e298852c9b9c8c2266236292073623418c640a
https://github.com/HKUDS/OpenHarness/pull/276
https://www.vulncheck.com/advisories/openharness-cross-session-disclosure-via-resume-and-summary-commands