CVE-2026-7551
Published: 30 April 2026
Summary
CVE-2026-7551 is a high-severity OS Command Injection (CWE-78) vulnerability in Hkuds Openharness. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the command injection vulnerability (CWE-78) by validating attacker-controlled command text in the /bridge spawn subcommand before forwarding to the shell subprocess.
Remediates the specific RCE flaw in /bridge slash command processing through timely patching as provided in the referenced GitHub commit.
Enforces least privilege for the OpenHarness process user, limiting the impact of spawned shell sessions by restricting access to local files, credentials, and repository contents.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-7551 enables remote code execution via OS command injection (CWE-78) in the /bridge slash command, directly facilitating T1190 (Exploit Public-Facing Application) through network-accessible RCE and T1059 (Command and Scripting Interpreter) via execution of attacker-controlled commands in a shell subprocess.
NVD Description
HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded…
more
to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.
Deeper analysisAI
HKUDS OpenHarness is affected by CVE-2026-7551, a remote code execution vulnerability (CWE-78) published on 2026-04-30, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue resides in the /bridge slash command, where remote senders accepted by configuration can supply attacker-controlled command text via the /bridge spawn subcommand. This input is forwarded to the bridge session manager and executed through a shared shell subprocess helper.
Attackers with low privileges—specifically, remote senders authorized in the OpenHarness configuration—can exploit this over the network with low complexity and no user interaction. Successful exploitation enables spawning shell sessions as the OpenHarness process user, providing high-impact access to local files, credentials, workspace state, and repository contents.
Mitigation details are provided in the patching GitHub commit 438e37309778e19060dfe7b172eb142e543c4cd6 and pull request #208. Further advisory information, including exploitation vectors and remediation guidance, is available from VulnCheck at https://www.vulncheck.com/advisories/hkuds-openharness-remote-command-execution-via-bridge-slash-command.
Details
- CWE(s)