PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40503 HKUDS CVE debrief

CVE-2026-40503 is a path traversal vulnerability in OpenHarness prior to commit dd1d235. This CVE record was published on 2026-04-16T01:16:11.440Z and was last modified on 2026-07-14T21:16:48.147Z. The vulnerability allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. This could potentially lead to unauthorized access to sensitive files. Users of OpenHarness should be aware of this vulnerability and take steps to mitigate it by applying the patch or taking compensating controls.

Vendor
HKUDS
Product
OpenHarness
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-16
Original CVE updated
2026-07-14
Advisory published
2026-04-16
Advisory updated
2026-07-14

Who should care

Users of OpenHarness prior to commit dd1d235 should be aware of this path traversal vulnerability and take steps to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their environments and apply necessary patches or compensating controls.

Technical summary

The vulnerability is caused by a lack of filesystem containment validation in the /memory show slash command. This allows attackers to manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process. The issue affects OpenHarness prior to commit dd1d235, potentially leading to unauthorized access to sensitive files. Users should review their installations and apply the patch or take mitigating actions.

Defensive priority

High

Recommended defensive actions

  • Apply the patch at https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af
  • Review and update OpenHarness installations to ensure they are using a version with the patch applied
  • Monitor OpenHarness systems for suspicious activity
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-04-16T01:16:11.440Z and was last modified on 2026-07-14T21:16:48.147Z. The NVD entry is currently Analyzed. This information is based on the NVD entry and the CVE record. The vulnerability affects OpenHarness prior to commit dd1d235. Evidence of exploitation is not currently available. Defenders should verify the patch status of their OpenHarness installations and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-16T01:16:11.440Z and has not been modified since then. The NVD entry is currently Analyzed.