CVE-2026-6729 MEDIUM

CVE-2026-6729: HKUDS OpenHarness Session Key Collision Privilege Escalation

Vendor Hkuds
Product OpenHarness
Weakness CWE-287 · Improper authentication
Published April 20, 2026
Last update April 21, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
April 21, 2026 Record updated