PatchSiren cyber security CVE debrief
CVE-2026-22682 HKUDS CVE debrief
CVE-2026-22682 is an improper access control vulnerability in OpenHarness built-in file tools. Attackers can exploit inconsistent parameter handling in permission enforcement to read arbitrary local files outside the intended repository scope. This could allow access to sensitive files such as configuration files, credentials, and SSH material. The vulnerability exists in OpenHarness prior to commit 166fcfe.
- Vendor
- HKUDS
- Product
- OpenHarness
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-07
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-07
- Advisory updated
- 2026-07-14
Who should care
Users of OpenHarness prior to commit 166fcfe should assess and mitigate this vulnerability to prevent unauthorized file access. This includes operators, platform administrators, vulnerability management teams, and security teams who need to ensure the security and integrity of their OpenHarness installations.
Technical summary
The vulnerability exists in OpenHarness prior to commit 166fcfe due to inconsistent parameter handling in permission enforcement for read_file, write_file, edit_file, and notebook_edit tools. This allows attackers to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths. The CVSS score of 8.4 indicates high severity. Users should assess and mitigate this vulnerability to prevent unauthorized file access. The vulnerability can be exploited by attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. To address this, operators, platform administrators, vulnerability management teams, and security teams should ensure the security and integrity of their OpenHarness installations.
Defensive priority
High priority due to CVSS score of 8.4 and potential for sensitive file exposure.
Recommended defensive actions
- Inventory and assess OpenHarness installations for version and commit status.
- Apply the patch at commit 166fcfe or later.
- Implement compensating controls such as file system access restrictions.
- Monitor for suspicious file access attempts.
- Review and update access control configurations for file tools.
- Perform a thorough review of current file tool usage and permissions.
- Ensure proper segregation of duties for OpenHarness administrators.
Evidence notes
The CVE record was published on 2026-04-07T18:16:39.033Z and last modified on 2026-07-14T16:16:51.620Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify OpenHarness version and commit status, assess potential file exposure, and review access control configurations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-07T18:16:39.033Z and has not been modified since then. The NVD entry is currently Deferred.