PT-2026-33196 · Unknown · Openharness
Published
2026-04-16
·
Updated
2026-04-16
·
CVE-2026-40503
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenHarness versions prior to commit dd1d235
Description
Remote gateway users with chat access can read arbitrary files by supplying path traversal sequences to the '/memory show' slash command. Attackers can manipulate the
path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process due to a lack of filesystem containment validation.Recommendations
Update to commit dd1d235 or a newer version.
As a temporary workaround, restrict access to the '/memory show' slash command.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openharness