Cyber Resilience

CVE-2026-6729

MediumPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6729 is a medium-severity Improper Authentication (CWE-287) vulnerability in Hkuds Openharness. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Remote Service Session Hijacking (T1563); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-6729 is a session key derivation vulnerability (CWE-287) in HKUDS OpenHarness prior to the remediation in Pull Request #159. The flaw stems from a shared "ohmo" session key that lacks sender identity verification, enabling authenticated participants in shared chats or threads to hijack other users' sessions. This affects the session management component, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity due to network accessibility, low complexity, and low privileges required.

An attacker with low-privileged authenticated access, such as another participant in a shared chat or thread, can exploit this by colliding into the same session boundary. This allows them to reuse the victim's conversation state, replace or interrupt their active tasks, and effectively hijack the session, leading to limited impacts on confidentiality, integrity, and availability.

Mitigation is available via Pull Request #159 on the HKUDS OpenHarness GitHub repository, which includes the remediation commit 3186851c479ee714a9bb9aa6cd77017db7e589e2. Security practitioners should update to a version incorporating this fix, as detailed in the project's pull request and the VulnCheck advisory on the session key collision privilege escalation issue.

EU & UK References

Vulnerability details

HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers…

more

can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1563 Remote Service Session Hijacking Lateral Movement
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment.
Why these techniques?

The session key derivation flaw without sender identity verification directly enables hijacking of other authenticated users' sessions in shared chats/threads, mapping to remote service session hijacking.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7551Same product: Hkuds Openharness
CVE-2026-40515Same product: Hkuds Openharness
CVE-2026-6823Same product: Hkuds Openharness
CVE-2026-40516Same product: Hkuds Openharness
CVE-2026-6819Same product: Hkuds Openharness
CVE-2026-40502Same product: Hkuds Openharness
CVE-2026-32847Same vendor: Hkuds
CVE-2024-11322Shared CWE-287
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287

Affected Assets

hkuds
openharness
≤ 0.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires mechanisms to protect the authenticity of communications sessions, directly mitigating session hijacking from unverified shared session keys lacking sender identity.

prevent

Ensures secure cryptographic key establishment and management for session keys, preventing derivation flaws that allow key sharing without identity verification.

prevent

Mandates proper management of authenticators including session keys to avoid improper generation and sharing in collaborative contexts.

References