HKUDS OpenHarness contains a critical remote code execution vulnerability in the /bridge slash command. The vulnerability allows remote senders accepted by configuration to execute arbitrary operating system commands through the /bridge spawn command. Attackers can provide malicious command text that gets forwarded to the bridge session manager and executed via the shared shell subprocess helper. This allows attackers to spawn shell sessions as the OpenHarness process user, potentially accessing local files, credentials, workspace state, and repository contents. The vulnerability has been addressed through patches available on GitHub.