{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/openharness/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7551"}],"_cs_exploited":false,"_cs_products":["OpenHarness"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","injection"],"_cs_type":"advisory","_cs_vendors":["HKUDS"],"content_html":"\u003cp\u003eHKUDS OpenHarness is vulnerable to a remote code execution flaw (CVE-2026-7551) affecting the /bridge slash command. This vulnerability permits remote attackers, who are authorized by the OpenHarness configuration, to execute arbitrary operating system commands on the host system. The attack leverages the /bridge spawn command, which, when supplied with attacker-controlled command text, is processed by the bridge session manager and executed through a shared shell subprocess. This execution context grants attackers the ability to spawn shell sessions with the privileges of the OpenHarness process user, potentially exposing local files, credentials, workspace state, and repository contents. Successful exploitation results in a complete compromise of the OpenHarness instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an accessible OpenHarness instance with the vulnerable /bridge slash command enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates or gains access to a communication channel (e.g., chat application) accepted by OpenHarness.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious /bridge spawn command containing OS commands to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted /bridge spawn command to the OpenHarness instance via the configured communication channel.\u003c/li\u003e\n\u003cli\u003eOpenHarness processes the /bridge command and forwards the attacker-controlled command text to the bridge session manager.\u003c/li\u003e\n\u003cli\u003eThe bridge session manager executes the injected OS commands through a shared shell subprocess.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a shell session with the privileges of the OpenHarness process user.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses local files, credentials, workspace state, and repository contents, potentially exfiltrating sensitive data or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7551 allows attackers to execute arbitrary operating system commands on the OpenHarness server. This grants them the ability to spawn shell sessions as the OpenHarness process user, which can lead to the exposure of sensitive information such as local files, credentials, workspace state, and repository contents. The impact of this vulnerability is significant, potentially allowing for complete system compromise and data exfiltration, but the exact number of victims is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates provided by HKUDS to address CVE-2026-7551 on all OpenHarness instances.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the /bridge slash command to prevent the injection of malicious OS commands.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious shell executions originating from the OpenHarness process using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the OpenHarness server to only authorized users and systems.\u003c/li\u003e\n\u003cli\u003eReview OpenHarness configurations to ensure that only trusted communication channels are accepted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T22:17:40Z","date_published":"2026-04-30T22:17:40Z","id":"/briefs/2026-05-openharness-rce/","summary":"HKUDS OpenHarness contains a remote code execution vulnerability (CVE-2026-7551) in the /bridge slash command, allowing remote attackers to execute arbitrary operating system commands by injecting malicious commands via the /bridge spawn command, leading to unauthorized shell access and data exposure.","title":"HKUDS OpenHarness Remote Code Execution via /bridge Slash Command (CVE-2026-7551)","url":"https://feed.craftedsignal.io/briefs/2026-05-openharness-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenHarness","version":"https://jsonfeed.org/version/1.1"}