CVE-2026-53869
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk44th percentile — higher than 44% of all known CVEs
Summary
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on specified endpoints, enabling attackers to exploit this vulnerability.
Risk Assessment
This vulnerability may lead to the injection of malicious commands or reading terminal output, posing a serious threat to the security of the system and the organization's data.
Recommendation
It is recommended to update Hermes Agent to version 0.16.0 or later to mitigate this vulnerability and implement additional security measures for WebSocket endpoints.
Original NVD description (English source)
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling attackers to exploit DNS rebinding and inject malicious commands or read terminal output.

