OpenHarness Command Injection: Remote Admin Control Via Chat

/HIGH
SCW vulnerabilitycvehigh-severitycommand-injectioncwe-862
OpenHarness Command Injection: Remote Admin Control Via Chat

The National Vulnerability Database (NVD) has detailed CVE-2026-40502, a high-severity command injection vulnerability impacting OpenHarness instances prior to commit dd1d235. This flaw allows remote gateway users with chat access to execute sensitive administrative commands, effectively bypassing operator authorization. The core issue, according to NVD, lies in the gateway handler’s insufficient distinction between commands intended for local-only execution and those deemed safe for remote access.

Exploiting this vulnerability, an attacker could leverage a remote chat session to invoke administrative functions like /permissions full_auto. This would grant them the ability to alter the permission modes of a running OpenHarness instance without any legitimate oversight. NVD assigns a CVSSv3.1 score of 8.8 (HIGH) to this vulnerability, underscoring the critical risk it poses to affected deployments. The CWE associated with this issue is CWE-862, highlighting a missing authorization mechanism.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1059.003 Windows Command Shell Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

medium T1204.002 Execution

Suspicious File Download via Email

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

6 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40502 Command Injection OpenHarness prior to commit dd1d235
CVE-2026-40502 Command Injection Insufficient distinction between local-only and remote-safe commands in the gateway handler
CVE-2026-40502 Privilege Escalation Remote gateway users with chat access can invoke sensitive administrative commands
CVE-2026-40502 Command Injection Execution of administrative commands such as /permissions full_auto through remote chat sessions

By Shimi's Cyber World Editorial

Related Posts

MailGates/MailAudit CRLF Injection Exposes System Files

CVE-2026-6351 — MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.

vulnerabilityCVEhigh-severitycwe-93
/HIGH /⚑ 3 IOCs

Critical MailGates Flaw Lets Attackers Run Wild

CVE-2026-6350 — MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary...

vulnerabilityCVEcriticalhigh-severitybuffer-overflowcwe-121
/CRITICAL /⚑ 3 IOCs

WinMatrix Agent: Local Auth Bypass to SYSTEM Privileges

CVE-2026-6348 — WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on...

vulnerabilityCVEhigh-severitycwe-306
/HIGH /⚑ 3 IOCs