CVE-2026-7551

HighPublic PoC

Published: 30 April 2026

Published

30 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded…

to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the command injection vulnerability (CWE-78) by validating attacker-controlled command text in the /bridge spawn subcommand before forwarding to the shell subprocess.

SI-2 Flaw Remediation good match

prevent

Remediates the specific RCE flaw in /bridge slash command processing through timely patching as provided in the referenced GitHub commit.

AC-6 Least Privilege good match

prevent

Enforces least privilege for the OpenHarness process user, limiting the impact of spawned shell sessions by restricting access to local files, credentials, and repository contents.

Security SummaryAI

HKUDS OpenHarness is affected by CVE-2026-7551, a remote code execution vulnerability (CWE-78) published on 2026-04-30, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue resides in the /bridge slash command, where remote senders accepted by configuration can supply attacker-controlled command text via the /bridge spawn subcommand. This input is forwarded to the bridge session manager and executed through a shared shell subprocess helper.

Attackers with low privileges—specifically, remote senders authorized in the OpenHarness configuration—can exploit this over the network with low complexity and no user interaction. Successful exploitation enables spawning shell sessions as the OpenHarness process user, providing high-impact access to local files, credentials, workspace state, and repository contents.

Mitigation details are provided in the patching GitHub commit 438e37309778e19060dfe7b172eb142e543c4cd6 and pull request #208. Further advisory information, including exploitation vectors and remediation guidance, is available from VulnCheck at https://www.vulncheck.com/advisories/hkuds-openharness-remote-command-execution-via-bridge-slash-command.

Details

CWE(s): CWE-78

Affected Products

hkuds

openharness

≤ 2026-04-27

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

CVE-2026-7551 enables remote code execution via OS command injection (CWE-78) in the /bridge slash command, directly facilitating T1190 (Exploit Public-Facing Application) through network-accessible RCE and T1059 (Command and Scripting Interpreter) via execution of attacker-controlled commands in a shell subprocess.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/HKUDS/OpenHarness/commit/438e37309778e19060dfe7b172eb142e543c4cd6
Patch · disclosure@vulncheck.com
https://github.com/HKUDS/OpenHarness/pull/208
Exploit, Issue Tracking, Patch, Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/hkuds-openharness-remote-command-execution-via-bridge-slash-command
Third Party Advisory · disclosure@vulncheck.com