CVE-2026-6819
published 2026-04-21CVE-2026-6819: HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and…
PriorityP351high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.29%
20.9th percentile
HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hkuds | openharness | < PR #156 | PR #156 |
| hkuds | openharness | < 0.1.7 | 0.1.7 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3xqw-r49f-5rj8: HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /relo
ghsa_unreviewed·2026-04-21
CVE-2026-6819 [HIGH] CWE-276 GHSA-3xqw-r49f-5rj8: HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /relo
HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.
VulDB
HKUDS OpenHarness up to 155 Plugin Installation /plugin default permission
vuldb·2026-04-21·CVSS 8.7
CVE-2026-6819 [HIGH] HKUDS OpenHarness up to 155 Plugin Installation /plugin default permission
A vulnerability labeled as critical has been found in HKUDS OpenHarness up to 155. This vulnerability affects unknown code of the file /plugin of the component Plugin Installation Handler. Such manipulation leads to incorrect default permissions.
This vulnerability is uniquely identified as CVE-2026-6819. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/HKUDS/OpenHarness/commit/59017e09880fcf9a6f60456a84fb982900b2c0b2https://github.com/HKUDS/OpenHarness/pull/156https://github.com/HKUDS/OpenHarness/releases/tag/v0.1.7https://www.vulncheck.com/advisories/hkuds-openharness-plugin-management-command-exposurehttps://github.com/HKUDS/OpenHarness/pull/156
2026-04-21
Published