CVE-2026-7113

NousResearch hermes-agent Webhooks Endpoint webhook.py missing authentication

CVSS 6.3 MEDIUMEPSS 0.4%CWE-287 CWE-306

Vexday Risk Score

33Atención

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 6.3EPSS 0.4%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Ciclo de vida

27 abr 2026Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitation is known to be difficult. The exploit has been made public and could be used. The project was informed of the problem early through a pull request but has not reacted yet.

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Productos afectados

NousResearch · hermes-agent

PoCs públicas encontradas — 1

cve_referencegithub.com/NousResearch/hermes-agent/issues/6440no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/NousResearch/hermes-agent/https://github.com/NousResearch/hermes-agent/issues/6440 https://github.com/NousResearch/hermes-agent/pull/6445 https://vuldb.com/submit/800802 https://vuldb.com/vuln/359713 https://vuldb.com/vuln/359713/cti