PatchSiren cyber security CVE debrief
CVE-2026-40503 HKUDS CVE debrief
CVE-2026-40503 is a path traversal vulnerability in OpenHarness prior to commit dd1d235. This CVE record was published on 2026-04-16T01:16:11.440Z and was last modified on 2026-07-14T21:16:48.147Z. The vulnerability allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. This could potentially lead to unauthorized access to sensitive files. Users of OpenHarness should be aware of this vulnerability and take steps to mitigate it by applying the patch or taking compensating controls.
- Vendor
- HKUDS
- Product
- OpenHarness
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-07-14
Who should care
Users of OpenHarness prior to commit dd1d235 should be aware of this path traversal vulnerability and take steps to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their environments and apply necessary patches or compensating controls.
Technical summary
The vulnerability is caused by a lack of filesystem containment validation in the /memory show slash command. This allows attackers to manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process. The issue affects OpenHarness prior to commit dd1d235, potentially leading to unauthorized access to sensitive files. Users should review their installations and apply the patch or take mitigating actions.
Defensive priority
High
Recommended defensive actions
- Apply the patch at https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af
- Review and update OpenHarness installations to ensure they are using a version with the patch applied
- Monitor OpenHarness systems for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-04-16T01:16:11.440Z and was last modified on 2026-07-14T21:16:48.147Z. The NVD entry is currently Analyzed. This information is based on the NVD entry and the CVE record. The vulnerability affects OpenHarness prior to commit dd1d235. Evidence of exploitation is not currently available. Defenders should verify the patch status of their OpenHarness installations and monitor for suspicious activity.
Official resources
-
CVE-2026-40503 CVE record
CVE.org
-
CVE-2026-40503 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-16T01:16:11.440Z and has not been modified since then. The NVD entry is currently Analyzed.