CVE-2026-40516

Name of the Vulnerable Software and Affected Versions OpenHarness versions prior to commit bd4df81

Description An issue exists in the 'web fetch' and 'web search' tools where target addresses are not properly validated. This allows attackers to manipulate tool parameters to access private and localhost HTTP services. By influencing an agent session, attackers can invoke these tools against loopback, RFC1918, link-local, or other non-public addresses to read response bodies from local development services, cloud metadata endpoints, admin panels, or other private HTTP services reachable from the victim host.

Recommendations Update to the version containing commit bd4df81. As a temporary workaround, restrict the use of the 'web fetch' and 'web search' tools to minimize the risk of exploitation.