Skip to main content

Hermes Agent CVE-2026-53869

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-17 VulnCheck GHSA-4pqm-j46f-795x
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable WebSocket with no auth (AV:N, PR:N), but DNS rebinding requires winning a TTL race (AC:H) and a victim browsing an attacker page (UI:R); PTY command injection yields full C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 18:45 vuln.today
Analysis Generated
Jun 17, 2026 - 18:45 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on hermes-agent (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.16.0.

DescriptionCVE.org

Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling attackers to exploit DNS rebinding and inject malicious commands or read terminal output.

AnalysisAI

DNS rebinding in NousResearch Hermes Agent prior to 0.16.0 allows remote attackers to reach privileged local WebSocket endpoints (/api/pty, /api/ws, /api/pub, /api/events) by tricking a victim's browser into resolving an attacker-controlled hostname to the agent's loopback address, bypassing Host and Origin checks. Because FastAPI HTTP middleware does not run on WebSocket upgrade requests, the validation layer is silently skipped, letting attackers inject commands into the PTY or stream terminal output. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Hermes Agent host
Delivery
Lure victim to attacker-controlled page
Exploit
Serve JS that opens WebSocket to rebindable hostname
Execution
DNS rebinds to 127.0.0.1 bypassing Host/Origin
Persist
WebSocket upgrade skips FastAPI middleware
Impact
Inject commands into /api/pty or read terminal stream

Vulnerability AssessmentAI

Exploitation Hermes Agent prior to 0.16.0 must be running and listening on a host reachable from the victim's browser (typical default: a loopback or LAN bind on a developer workstation), and the same user must load an attacker-controlled page in a browser on that host - DNS rebinding is the delivery mechanism, so UI in a browser context is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N, VA:H only) understates real impact and overstates ease: the description clearly says attackers can inject commands and read terminal output, which is high confidentiality and integrity impact, not just availability, and DNS rebinding always requires a victim to load attacker content in a browser (UI required) plus winning a TTL/rebind race (non-trivial complexity). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer running Hermes Agent on their laptop visits an attacker-controlled web page; the page's JavaScript opens a WebSocket to a hostname the attacker briefly resolves to a public IP (passing the same-origin policy), then rebinds the DNS record to 127.0.0.1 so subsequent WebSocket frames hit the local /api/pty endpoint. Because the Host/Origin middleware never fires on the upgrade, the connection is accepted and the attacker streams commands into the victim's shell or reads terminal output. …
Remediation Vendor-released patch: Hermes Agent 0.16.0 (release tag v2026.6.5, https://github.com/NousResearch/hermes-agent/releases/tag/v2026.6.5); the fix corresponds to upstream commit d9ec90585cf7616b5972e44cf8d92bb569fc3feb and PRs #30221 and #31685, which move Host/Origin validation into a WebSocket-aware dependency so it runs on upgrade requests. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Hermes Agent deployments running versions prior to 0.16.0, including network location and access scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9367 MEDIUM POC
5.5 May 24

Remote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands

CVE-2026-14628 MEDIUM POC
5.5 Jul 04

Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the

CVE-2026-9351 MEDIUM POC
5.5 May 24

Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass

CVE-2026-9368 MEDIUM POC
5.5 May 24

Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipula

CVE-2026-10221 MEDIUM POC
5.5 Jun 01

Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _comp

CVE-2026-10220 MEDIUM POC
5.5 Jun 01

Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate t

CVE-2026-9366 MEDIUM POC
5.5 May 24

Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbi

CVE-2026-9353 MEDIUM POC
5.5 May 24

Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers t

CVE-2026-10224 MEDIUM POC
5.5 Jun 01

Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenti

CVE-2026-9350 MEDIUM POC
5.5 May 24

Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentica

CVE-2026-9352 MEDIUM POC
5.5 May 24

Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data vi

CVE-2026-7396 MEDIUM POC
5.5 Apr 29

A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality

Share

CVE-2026-53869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy