OpenHarness `/bridge spawn` command reaches shell, patched local-only
TL;DR - OpenHarness deployments that accept remote gateway senders are exposed to OS command execution via /bridge spawn <CMD>. The command reaches bash -lc through a shared shell subprocess helper. Update to a build containing the fix from HKUDS/OpenHarness#208, which makes /bridge local-only by default.
What happened
OpenHarness is an AI agent management framework with a remote gateway and a slash-command control plane - the kind of tool that sits next to your repo checkout, CI secrets, and cloud credentials.
CVE-2026-7551 is a remote OS command injection path through the /bridge slash command. A remote sender that the OpenHarness configuration already accepts can send /bridge spawn CMD. The command text is forwarded into the bridge session manager, then executed through a shared shell subprocess helper. From there, an attacker runs as the OpenHarness process user with access to local files, credentials, workspace state, and repository contents.
The fix, merged as HKUDS/OpenHarness#208, registers /bridge with remote_invocable=False. The gateway denies remote /bridge spawn ... messages before the handler ever runs.
| Item | Detail |
|---|---|
| Impact | Remote code execution via /bridge spawn |
| Preconditions | Remote sender accepted by OpenHarness configuration (not unauthenticated) |
| CVSS (CNA) | 8.8 (v3.1), 8.7 (v4.0) |
| Weakness | CWE-78 (OS command injection) |
This is a recurring failure mode for chatops and agent control planes: a convenience command accidentally becomes a remote execution API sitting directly beside repo checkouts and CI or cloud credentials.
Who is impacted
- OpenHarness deployments with a remote channel or gateway enabled and at least one remote sender accepted by configuration.
- Deployments running code that predates the fix commit referenced by NVD (
HKUDS/OpenHarness@438e37309778e19060dfe7b172eb142e543c4cd6). - Highest risk: hosts where the OpenHarness process user can read developer credentials, CI secrets, or production access tokens from disk or environment variables.
What to do now
- Update to a build that includes the fix from
HKUDS/OpenHarness#208. - Confirm the deployed code includes fix commit
438e37309778e19060dfe7b172eb142e543c4cd6as referenced by NVD. - Audit your remote gateway trust configuration:
- review which remote senders are accepted by configuration
- treat that acceptance list as an authorisation boundary, not a convenience allowlist
- If
/bridge spawncould have been reached before patching, treat exposed secrets as compromised:- rotate credentials accessible to the OpenHarness process user (cloud keys, Git tokens, registry tokens)
- review audit logs for unexpected
/bridgeinvocations and unexplained long-running bridge sessions
Additional Information
- Patch PR:
HKUDS/OpenHarness#208 - Fix commit (referenced by NVD):
HKUDS/OpenHarness@438e37309778e19060dfe7b172eb142e543c4cd6
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.