CVE-2026-40516 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: April 17, 2026
OpenHarness - Server Side Request Forgery
Published: April 17, 2026Updated: April 17, 2026Remote Exploitable
Overview
OpenHarness before commit bd4df81 contains a server-side request forgery caused by improper validation of target addresses in web_fetch and web_search tools, letting attackers access private and localhost HTTP services remotely, exploit requires attacker to manipulate tool parameters.
Severity & Score
Severity: High
CVSS Score: 8.3
Impact
Attackers can access internal HTTP services, potentially exposing sensitive data from private networks or cloud metadata endpoints.
Mitigation
Update to the latest version including commit bd4df81 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-40516
- Severity
- High
- CVSS Score
- 8.3
- Type
- server_side_request_forgery
- Status
- unconfirmed
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L