CVE-2026-56695 | OpenHarness ohmo gateway /resume and /summary slash commands… | CVSS 6.5 MEDIUM

Description

OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.

Metadata

CVE ID: CVE-2026-56695
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-22 17:09 UTC
Published: 2026-06-23 15:36 UTC
Last updated: 2026-06-23 15:36 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: HKUDS / OpenHarness
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
HKUDS	OpenHarness	—	0 ≤ 0.1.9, 92e298852c9b9c8c2266236292073623418c640a

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (3)