CVE-2026-56696

OpenHarness - Prompt Injection via /issue and /pr_comments Slash Commands

CVSS 5.3 MEDIUMCWE-862

In short

OpenHarness allows attackers to inject malicious commands through chat slash commands that aren't properly protected, letting them secretly add harmful content to project files that gets inserted into system prompts and changes how the local agent behaves.

Technical detail

CWE-862 (Missing Authorization) vulnerability in /issue and /pr_comments slash commands lacks remote_invocable=False protection, enabling unauthenticated remote channel senders to perform arbitrary writes to .openharness/issue.md and .openharness/pr_comments.md. Injected Markdown persists in runtime system prompts, allowing persistent prompt injection attacks that alter local agent behavior without detection.

Summary generated and translated by AI from the official description.

OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

HKUDS · OpenHarness

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/HKUDS/OpenHarness/commit/27bb93b810e9ea8fa4832eab7152eeb3b4a6bffb https://github.com/HKUDS/OpenHarness/pull/272 https://www.vulncheck.com/advisories/openharness-prompt-injection-via-issue-and-pr-comments-slash-commands