CVE-2026-40515
Published: 17 April 2026
Summary
CVE-2026-40515 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Hkuds Openharness. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations including configured path rules to prevent unauthorized access to sensitive files despite path normalization flaws in grep and glob tools.
Requires validation of path inputs to built-in tools like grep and glob to ensure proper normalization and compliance with access restrictions, directly countering the bypass vulnerability.
Requires timely remediation of the specific path normalization flaw in OpenHarness via patching to commit bd4df81, eliminating the permission bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote unauthenticated path bypass in public-facing OpenHarness directly enables exploitation of a public-facing app (T1190) to perform file/directory discovery via glob (T1083) and read sensitive local files/credentials via grep (T1005).
NVD Description
OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are…
more
not properly evaluated against configured path rules, allowing disclosure of sensitive local file content, key material, configuration files, or directory contents despite configured path restrictions.
Deeper analysisAI
CVE-2026-40515 is a permission bypass vulnerability (CWE-863) in OpenHarness prior to commit bd4df81, stemming from incomplete path normalization in the permission checker. This flaw affects the built-in grep and glob tools, which fail to properly evaluate sensitive root directories against configured path rules. As a result, attackers can bypass restrictions designed to limit access to local files. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no privileges required.
Remote, unauthenticated attackers can exploit this vulnerability by invoking the grep or glob tools with specially crafted arguments targeting sensitive root directories. Successful exploitation enables the disclosure of sensitive local file contents, including key material, configuration files, or directory listings, even when path restrictions are explicitly configured. No user interaction is needed, and the attack requires low complexity.
Mitigation is available through the patch in OpenHarness commit bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae, submitted via pull request #92 on the HKUDS/OpenHarness GitHub repository. Security practitioners should update to this commit or later versions. Additional details are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/openharness-permission-bypass-via-grep-and-glob-root-argument.
Details
- CWE(s)