{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40503", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-13T20:29:02.808Z", "datePublished": "2026-04-16T00:08:09.535Z", "dateUpdated": "2026-04-16T13:42:38.789Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-16T00:10:30.308Z"}, "title": "OpenHarness Path Traversal Information Disclosure via /memory show", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "HKUDS", "product": "OpenHarness", "repo": "https://github.com/HKUDS/OpenHarness", "versions": [{"status": "affected", "version": "0", "lessThan": "dd1d235450dd987b20bff01b7bfb02fe8620a0af", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process without filesystem containment validation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process without filesystem containment validation.<br>"}]}], "references": [{"url": "https://github.com/HKUDS/OpenHarness/pull/127", "tags": ["issue-tracking"]}, {"url": "https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openharness-path-traversal-information-disclosure-via-memory-show", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Chia Min Jun Lennon", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:40:58.633483Z", "id": "CVE-2026-40503", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:42:38.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40503", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:40:58.633483Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:41:03.089Z"}}], "cna": {"title": "OpenHarness Path Traversal Information Disclosure via /memory show", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Chia Min Jun Lennon"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/HKUDS/OpenHarness", "vendor": "HKUDS", "product": "OpenHarness", "versions": [{"status": "affected", "version": "0", "lessThan": "dd1d235450dd987b20bff01b7bfb02fe8620a0af", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/HKUDS/OpenHarness/pull/127", "tags": ["issue-tracking"]}, {"url": "https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openharness-path-traversal-information-disclosure-via-memory-show", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process without filesystem containment validation.", "supportingMedia": [{"type": "text/html", "value": "OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process without filesystem containment validation.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-16T00:10:30.308Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40503", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:42:38.789Z", "dateReserved": "2026-04-13T20:29:02.808Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-16T00:08:09.535Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*", "matchCriteriaId": "672BBCF1-1AB6-42DE-B02A-BAEECF3DA6E0", "versionEndExcluding": "2026-04-13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process without filesystem containment validation."}], "id": "CVE-2026-40503", "lastModified": "2026-04-23T19:39:11.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-16T01:16:11.440", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/HKUDS/OpenHarness/pull/127"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/openharness-path-traversal-information-disclosure-via-memory-show"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,dd1d235450dd987b20bff01b7bfb02fe8620a0af)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OpenHarness", "source": "cna", "vendor": "HKUDS"}, "product": "openharness", "vendor": "hkuds"}], "analysis": {"en": {"generated_at": "2026-04-17T05:54:58.014273+00:00", "value": {"mitigation_remediation": ["Upgrade OpenHarness to any revision that includes the patch after commit dd1d235 or apply the fix manually by restricting path traversal.", "Disable or restrict the /memory show command for untrusted users, limiting its use to privileged accounts only.", "Monitor system logs for attempts to read or list files through the /memory show command and investigate any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems are deployments of OpenHarness using a version prior to commit dd1d235450dd987b20bff01b7bfb02fe8620a0af, provided by the HKUDS vendor. The flaw exists in all installations that expose the /memory show command to chat users.", "description_and_impact": "OpenHarness before commit dd1d235 suffered from a path\u2011traversal flaw in the /memory show command. A remote user with chat access can supply traversal sequences that cause the OpenHarness process to read any file reachable in the file system, leading to unintended disclosure of sensitive data. The vulnerability relies on lack of filesystem containment checks when resolving the input path (CWE-22).", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate to high risk, while the EPSS score is below 1%, suggesting a low but non-zero exploitation probability. The requirement of remote gateway chat access limits the threat to environments where such access is granted. Attackers can retrieve arbitrary files through the web API using a simple HTTP request to the /memory show slash command, resulting in a confidentiality breach with potential operational impact."}}}}, "created": "2026-04-16T09:12:10.256794+00:00", "updated": "2026-04-17T06:00:09.280325+00:00", "vendors": ["hkuds", "hkuds$PRODUCT$openharness"]}