Cyber Resilience

CVE-2026-7551

HighPublic PoCRCE

Published: 30 April 2026

Published
30 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7551 is a high-severity OS Command Injection (CWE-78) vulnerability in Hkuds Openharness. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

HKUDS OpenHarness is affected by CVE-2026-7551, a remote code execution vulnerability (CWE-78) published on 2026-04-30, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue resides in the /bridge slash command, where remote senders accepted by configuration can supply attacker-controlled command text via the /bridge spawn subcommand. This input is forwarded to the bridge session manager and executed through a shared shell subprocess helper.

Attackers with low privileges—specifically, remote senders authorized in the OpenHarness configuration—can exploit this over the network with low complexity and no user interaction. Successful exploitation enables spawning shell sessions as the OpenHarness process user, providing high-impact access to local files, credentials, workspace state, and repository contents.

Mitigation details are provided in the patching GitHub commit 438e37309778e19060dfe7b172eb142e543c4cd6 and pull request #208. Further advisory information, including exploitation vectors and remediation guidance, is available from VulnCheck at https://www.vulncheck.com/advisories/hkuds-openharness-remote-command-execution-via-bridge-slash-command.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded…

more

to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE-2026-7551 enables remote code execution via OS command injection (CWE-78) in the /bridge slash command, directly facilitating T1190 (Exploit Public-Facing Application) through network-accessible RCE and T1059 (Command and Scripting Interpreter) via execution of attacker-controlled commands in a shell subprocess.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6819Same product: Hkuds Openharness
CVE-2026-6823Same product: Hkuds Openharness
CVE-2026-40515Same product: Hkuds Openharness
CVE-2026-40516Same product: Hkuds Openharness
CVE-2026-6729Same product: Hkuds Openharness
CVE-2026-40502Same product: Hkuds Openharness
CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78

Affected Assets

hkuds
openharness
≤ 2026-04-27

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection vulnerability (CWE-78) by validating attacker-controlled command text in the /bridge spawn subcommand before forwarding to the shell subprocess.

prevent

Remediates the specific RCE flaw in /bridge slash command processing through timely patching as provided in the referenced GitHub commit.

prevent

Enforces least privilege for the OpenHarness process user, limiting the impact of spawned shell sessions by restricting access to local files, credentials, and repository contents.

References