{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6729", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T21:48:49.949Z", "datePublished": "2026-04-20T22:01:38.766Z", "dateUpdated": "2026-04-20T22:01:38.766Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-20T22:01:38.766Z"}, "title": "HKUDS OpenHarness Session Key Collision Privilege Escalation", "datePublic": "2026-04-20T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-287", "description": "Improper Authentication (CWE-287)", "type": "CWE"}]}], "affected": [{"vendor": "HKUDS", "product": "OpenHarness", "versions": [{"status": "affected", "version": "0", "lessThan": "PR #159", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.</p>"}]}], "references": [{"url": "https://github.com/HKUDS/OpenHarness/pull/159", "tags": ["patch"]}, {"url": "https://github.com/HKUDS/OpenHarness/commit/3186851c479ee714a9bb9aa6cd77017db7e589e2", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/hkuds-openharness-session-key-collision-privilege-escalation", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "credits": [{"lang": "en", "value": "Chia Min Jun Lennon", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope."}], "id": "CVE-2026-6729", "lastModified": "2026-04-20T22:16:23.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-20T22:16:23.800", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/HKUDS/OpenHarness/commit/3186851c479ee714a9bb9aa6cd77017db7e589e2"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/HKUDS/OpenHarness/pull/159"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/hkuds-openharness-session-key-collision-privilege-escalation"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:57:00.594340+00:00", "value": {"mitigation_remediation": ["Apply the patch from PR #159 to update OpenHarness to a version that verifies sender identity in session key derivation.", "If immediate patching is not possible, limit or disable shared chat and thread scopes to prevent the collision of session keys.", "Review and validate that session key handling includes sender identity verification in future releases or custom builds."], "summary": {"action": "Apply Patch", "impact": "Session Hijacking / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is OpenHarness from HKUDS. All releases prior to the fix committed in PR #159 are vulnerable. No precise version numbers are provided, but any installation that has not incorporated the patch is affected.", "description_and_impact": "HKUDS OpenHarness includes a session key derivation flaw that omits sender identity verification in shared chats or threads. The flaw permits an authenticated participant to collide with another user's session by reusing their conversation state. As a result, the attacker can hijack the victim's session, replace or interrupt their active tasks, leading to unauthorized privilege escalation within the application. The vulnerability falls under authentication bypass (CWE\u2011287).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the current likelihood of exploitation remains uncertain. An attacker must first be an authenticated user in a shared chat or thread; from that point, hijacking a peer's session can be achieved by colliding into the same session boundary. This creates a privilege escalation path limited to the scope of the shared conversation but still noteworthy for security teams. Based on the description, we infer that the attack is executed by an attacker who is already authenticated and authorized to participate in the shared space; the vulnerability does not appear to be exploitable by unauthenticated users."}}}}, "created": "2026-04-21T00:00:13.345100+00:00", "updated": "2026-04-21T00:00:13.345113+00:00", "vendors": []}