OpenHarness Flaws Exposed Remote Administrative and Plugin Management Commands
Two high-severity vulnerabilities in OpenHarness exposed administrative functionality to remote users through the platform’s gateway and channel layers. CVE-2026-40502 affects versions prior to commit dd1d235 and stems from insufficient separation between local-only and remote-safe commands in the gateway handler, allowing remote gateway users with chat access to invoke sensitive administrative actions such as changing permission modes on a running instance without operator approval. The issue is classified as CWE-862 and carries a CVSS v3.1 score vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
A second flaw, CVE-2026-6819, affects HKUDS OpenHarness prior to the fix delivered in pull request #156 and later release v0.1.7, exposing plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. An attacker who gains access through the channel layer could use the weakness to install or activate untrusted plugins and alter plugin trust state remotely, creating a path to full compromise of confidentiality, integrity, and availability. The vulnerability is tracked as CWE-276 with CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Timeline
Apr 21, 2026
HKUDS OpenHarness plugin command exposure CVE-2026-6819 disclosed
On 2026-04-21, CVE-2026-6819 was disclosed for HKUDS OpenHarness, affecting versions prior to remediation in pull request #156 and the related v0.1.7 release. The issue exposed plugin management commands such as install, enable, disable, and reload to remote senders by default, enabling unauthorized plugin installation and activation if channel-layer access was obtained.
Apr 16, 2026
OpenHarness command injection flaw CVE-2026-40502 disclosed
On 2026-04-16, CVE-2026-40502 was disclosed affecting OpenHarness before commit dd1d235. The gateway handler flaw allowed remote gateway users with chat access to invoke sensitive administrative commands, including changing permission modes without operator authorization.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
OpenClaw Flaws Let Authenticated Users Escalate Privileges and Bypass Authorization
Two high-severity vulnerabilities in OpenClaw exposed paths for authenticated users to gain access beyond their intended roles. **CVE-2026-32042** affects versions before `2026.2.25` and allows an attacker with valid shared gateway authentication to present a self-signed, unpaired device identity and bypass pairing requirements, then self-assign elevated operator scopes including `operator.admin`. The issue is classified as `CWE-863` and effectively turns a trusted but unapproved device identity into a route for privilege escalation. A second flaw, **CVE-2026-32051**, affects OpenClaw versions before `2026.3.1` and allows users with `operator.write` scope to reach owner-only tool surfaces such as gateway and cron through agent runs in scoped-token deployments. The authorization mismatch lets lower-privileged authenticated users perform control-plane actions that should be restricted to owners, creating high risk to confidentiality, integrity, and availability. Advisories for both issues point to fixes and security guidance through GitHub and VulnCheck.
2 weeks ago
OneUptime Flaws Enabled Forged WhatsApp Webhooks and Probe Command Execution
Two high-severity vulnerabilities were disclosed in **OneUptime**, an open-source monitoring and observability platform, affecting webhook handling and synthetic monitoring. **CVE-2026-33143** impacts versions before `10.0.34` and stems from missing verification of the Meta/WhatsApp `X-Hub-Signature-256` HMAC signature in the `POST /notification/whatsapp/webhook` handler. An unauthenticated attacker could forge WhatsApp status update payloads, manipulate notification delivery records, suppress alerts, and corrupt audit trails. The issue was classified as `CWE-345` and patched in version `10.0.34`. A second flaw, **CVE-2026-33396**, affects versions before `10.0.35` and allows a low-privileged authenticated user with the **ProjectMember** role to achieve remote command execution on the Probe container or host through Synthetic Monitor Playwright script execution. The weakness lies in `VMRunner.runCodeInNodeVM`, where sandboxed code retained access to a live Playwright page object and could reach dangerous methods such as `_browserType.launchServer(...)`, bypassing an incomplete denylist. The vulnerability was mapped to `CWE-78`, `CWE-693`, and `CWE-184`, carries a `CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` rating, and was fixed in **OneUptime** version `10.0.35`.
1 months ago
High-Severity Flaws Expose Harbor to Default-Password Access and N2WS to RCE
Two high-severity vulnerabilities were disclosed affecting widely used infrastructure software. **GoHarbor Harbor** is affected by `CVE-2026-4404`, a hard-coded/default credential issue in version `2.15.0` and below that can let attackers authenticate to the Harbor web UI with the default administrator password if it was never changed. The published scoring indicates the flaw is network-accessible, requires no privileges or user interaction, and can lead to high confidentiality and integrity impact. **N2WS Backup & Recovery** is affected by `CVE-2025-32991`, which impacts versions before `4.4.0` and can lead to remote code execution through a two-step attack against the product’s RESTful API. The CVSS v3.1 vector rates the issue as remotely exploitable with no required privileges or user interaction, despite high attack complexity, and assigns high impact across confidentiality, integrity, and availability. The CVE entry was updated with links to an N2WS security advisory and vendor resources.
1 months ago