CVE-2026-11461
NousResearch hermes-agent resume Endpoint hermes_state.py resolve_session_by_title authorization
CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
13th
A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolve_session_by_title of the file hermes_state.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
| CWE | CWE-639 CWE-285 |
| Vendor | nousresearch |
| Product | hermes-agent |
| Published | Jun 7, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for nousresearch hermes-agent
Be the first to know when new medium vulnerabilities affecting nousresearch hermes-agent are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
NousResearch / hermes-agent
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.10 0.11 0.12.0
References
vuldb.com: https://vuldb.com/vuln/369081 vuldb.com: https://vuldb.com/vuln/369081/cti vuldb.com: https://vuldb.com/cve/CVE-2026-11461 vuldb.com: https://vuldb.com/submit/829402 gist.github.com: https://gist.github.com/YLChen-007/7951b3dc39193fb675914cc5d8b672fa gist.github.com: https://gist.github.com/YLChen-007/c2d162e9c8d39584223683cdcba98607
Credits
๐ Eric-b (VulDB User) VulDB CNA Team