Platform
python
Component
openharness
Fixed in
bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae
CVE-2026-40516 describes a server-side request forgery (SSRF) vulnerability discovered in OpenHarness. This flaw allows attackers to potentially access sensitive internal resources by manipulating tool parameters within the webfetch and websearch tools. The vulnerability impacts OpenHarness versions prior to commit bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae, and a fix has been released in the specified commit.
The SSRF vulnerability in OpenHarness allows an attacker to craft malicious requests that the OpenHarness agent will execute on behalf of the attacker. This can lead to unauthorized access to private and localhost HTTP services. Attackers could exploit this to read response bodies from local development services, cloud metadata endpoints (potentially exposing credentials), admin panels, or any other private HTTP service reachable from the victim host. The potential blast radius is significant, as it could expose sensitive data and allow for further reconnaissance and exploitation within the target environment. This vulnerability shares similarities with other SSRF exploits where attackers leverage trusted internal services to gain access to restricted resources.
CVE-2026-40516 was publicly disclosed on 2026-04-17. As of this date, there is no indication of active exploitation or a KEV listing. No public proof-of-concept (PoC) code has been released. The EPSS score is currently unavailable, but given the SSRF nature and potential for data exposure, it warrants careful monitoring.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40516 is to upgrade OpenHarness to version bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting network access from the OpenHarness agent to only necessary external services. Additionally, implement strict input validation on all tool parameters to prevent attackers from manipulating target addresses. Web application firewalls (WAFs) configured to block suspicious outbound requests can also provide a layer of defense. After upgrading, confirm the fix by attempting to invoke the webfetch and websearch tools with crafted URLs targeting internal services; successful requests should be blocked.
Update OpenHarness to the version that includes the fix bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae. This fix properly validates target addresses in the web_fetch and web_search tools, preventing unauthorized access to internal services.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40516 is a server-side request forgery vulnerability in OpenHarness that allows attackers to access private HTTP services by manipulating tool parameters.
You are affected if you are using OpenHarness versions 0.0.0–bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae.
Upgrade OpenHarness to version bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae or later. Implement input validation and WAF rules as temporary mitigations.
As of the current disclosure date, there is no indication of active exploitation.
Refer to the OpenHarness project's official security advisories and release notes for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.