CVE Catalog

CVE-2026-53869

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.60%

44th percentile — higher than 44% of all known CVEs

Summary

Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on specified endpoints, enabling attackers to exploit this vulnerability.

Risk Assessment

This vulnerability may lead to the injection of malicious commands or reading terminal output, posing a serious threat to the security of the system and the organization's data.

Recommendation

It is recommended to update Hermes Agent to version 0.16.0 or later to mitigate this vulnerability and implement additional security measures for WebSocket endpoints.

Original NVD description (English source)

Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling attackers to exploit DNS rebinding and inject malicious commands or read terminal output.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS