CVE-2026-6729
Published: 20 April 2026
Summary
CVE-2026-6729 is a medium-severity Improper Authentication (CWE-287) vulnerability in Hkuds Openharness. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Remote Service Session Hijacking (T1563); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires mechanisms to protect the authenticity of communications sessions, directly mitigating session hijacking from unverified shared session keys lacking sender identity.
Ensures secure cryptographic key establishment and management for session keys, preventing derivation flaws that allow key sharing without identity verification.
Mandates proper management of authenticators including session keys to avoid improper generation and sharing in collaborative contexts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The session key derivation flaw without sender identity verification directly enables hijacking of other authenticated users' sessions in shared chats/threads, mapping to remote service session hijacking.
NVD Description
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers…
more
can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.
Deeper analysisAI
CVE-2026-6729 is a session key derivation vulnerability (CWE-287) in HKUDS OpenHarness prior to the remediation in Pull Request #159. The flaw stems from a shared "ohmo" session key that lacks sender identity verification, enabling authenticated participants in shared chats or threads to hijack other users' sessions. This affects the session management component, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity due to network accessibility, low complexity, and low privileges required.
An attacker with low-privileged authenticated access, such as another participant in a shared chat or thread, can exploit this by colliding into the same session boundary. This allows them to reuse the victim's conversation state, replace or interrupt their active tasks, and effectively hijack the session, leading to limited impacts on confidentiality, integrity, and availability.
Mitigation is available via Pull Request #159 on the HKUDS OpenHarness GitHub repository, which includes the remediation commit 3186851c479ee714a9bb9aa6cd77017db7e589e2. Security practitioners should update to a version incorporating this fix, as detailed in the project's pull request and the VulnCheck advisory on the session key collision privilege escalation issue.
Details
- CWE(s)