← Voltar para CVEs
CVE-2026-22682
HIGH7.1
Descricao
OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode.
Detalhes CVE
Pontuacao CVSS v3.17.1
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vetor de ataqueLOCAL
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado4/7/2026
Ultima modificacao4/8/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-863
Referencias
https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9(disclosure@vulncheck.com)
https://github.com/HKUDS/OpenHarness/pull/32(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.