CVE-2026-6729

6.3 MEDIUM
Published: April 20, 2026 Modified: April 24, 2026
View on NVD

Description

HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/HKUDS/OpenHarness/pull/159
Source: disclosure@vulncheck.com
Exploit Issue Tracking
https://github.com/HKUDS/OpenHarness/pull/159
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Issue Tracking

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.3 / 10.0
EPSS (Exploit Probability)
0.2%
10th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

Affected Vendors

hkuds