CVE Catalog

CVE-2026-56695

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

In the OpenHarness ohmo gateway, the /resume and /summary commands have the default remote_invocable set to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private data such as prompts, credentials, and file paths.

Risk Assessment

Organizations may be exposed to sensitive information leaks, potentially leading to breaches of privacy and data security. The misuse of this data by attackers could result in serious consequences for the company's reputation and operations.

Recommendation

It is recommended to update the configuration of the OpenHarness ohmo gateway to set the remote_invocable option to False by default. Additionally, conduct an audit of access to session snapshots and monitor activity in gateway channels.

Original NVD description (English source)

OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS