PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27766 OpenHarmony CVE debrief

CVE-2026-27766 is a medium-severity information disclosure vulnerability affecting OpenHarmony v6.0 and prior versions. The vulnerability allows a local attacker to cause information leakage. The issue was published on 2026-05-19 and carries a CVSS 3.1 score of 5.5 (MEDIUM) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact. The weakness has been classified as CWE-364. The vulnerability status in NVD is currently 'Deferred'. The primary reference points to OpenHarmony's security disclosure documentation.

Vendor
OpenHarmony
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Organizations running OpenHarmony v6.0 or earlier in production environments, particularly those with multi-user local access scenarios or strict data confidentiality requirements.

Technical summary

Local information disclosure vulnerability in OpenHarmony v6.0 and prior. Attack requires local access with low privileges, no user interaction. High confidentiality impact. Root cause associated with CWE-364 weakness classification.

Defensive priority

medium

Recommended defensive actions

  • Review OpenHarmony security disclosure documentation for affected components and patch availability
  • Assess local access controls on OpenHarmony v6.0 and prior deployments
  • Monitor NVD for status updates from 'Deferred' to active analysis
  • Apply security updates from OpenHarmony project when available
  • Implement principle of least privilege for local user accounts

Evidence notes

Official CVE record and NVD entry confirm local information disclosure in OpenHarmony v6.0 and prior. CVSS vector indicates high confidentiality impact (C:H) with local access requirements. Weakness classified as CWE-364. Vendor attribution based on reference domain evidence (Gitcode/OpenHarmony).

Official resources

2026-05-19