← voltar
CVE-2026-40515

OpenHarness Permission Bypass via grep and glob root argument

CVSS 8.7 HIGHEPSS 0.2%CWE-863
OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are not properly evaluated against configured path rules, allowing disclosure of sensitive local file content, key material, configuration files, or directory contents despite configured path restrictions.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Produtos afetados
HKUDS · OpenHarness

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/HKUDS/OpenHarness/commit/bd4df81f634f8c7cddcc3fdf7f561a13dcbf03aehttps://github.com/HKUDS/OpenHarness/pull/92https://www.vulncheck.com/advisories/openharness-permission-bypass-via-grep-and-glob-root-argument