CVE-2026-56696
MEDIUM
5.4
Our Analysis: Environment Specific
Our model has classified this vulnerability as relevant to Environment Specific Systems, helping your team prioritize efforts effectively.
Published Date
June 23, 2026
Last Modified
June 23, 2026
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Description
OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior.