OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.
Metrics
Affected Vendors & Products
References
History
Wed, 24 Jun 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 23 Jun 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hkuds
Hkuds openharness |
|
| Vendors & Products |
Hkuds
Hkuds openharness |
Tue, 23 Jun 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels. | |
| Title | OpenHarness - Cross-Session Disclosure via /resume and /summary Commands | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-23T15:36:01.873Z
Updated: 2026-06-24T13:54:18.287Z
Reserved: 2026-06-22T17:09:16.555Z
Link: CVE-2026-56695
Updated: 2026-06-24T13:53:32.984Z
No data.
No data.