CVE-2026-53869
Hermes Agent < 0.16.0 - DNS Rebinding Bypass via WebSocket Endpoints
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling attackers to exploit DNS rebinding and inject malicious commands or read terminal output.
| CWE | CWE-306 |
| Vendor | nousresearch |
| Product | hermes-agent |
| Published | Jun 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for nousresearch hermes-agent
Be the first to know when new high vulnerabilities affecting nousresearch hermes-agent are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
NousResearch / hermes-agent
0 < 0.16.0
References
github.com: https://github.com/NousResearch/hermes-agent/releases/tag/v2026.6.5 github.com: https://github.com/NousResearch/hermes-agent/pull/30221 github.com: https://github.com/NousResearch/hermes-agent/pull/31685 github.com: https://github.com/NousResearch/hermes-agent/commit/d9ec90585cf7616b5972e44cf8d92bb569fc3feb vulncheck.com: https://www.vulncheck.com/advisories/hermes-agent-dns-rebinding-bypass-via-websocket-endpoints
Credits
Chia Min Jun Lennon