How is CVE-2026-53869 exploited?

Network reachability (required): The attacker must reach the Hermes Agent service over the network; the WebSocket endpoints are exposed via HTTP upgrade requests and the DNS rebinding technique requires the victim's browser to connect outbound to an attacker-controlled hostname that rebinds to the agent's IP. Authentication (not-required): No credentials are needed; the middleware bypass means the attacker skips Host and Origin validation entirely without presenting any account or token. Victim interaction (required): The DNS rebinding technique requires a victim to visit an attacker-controlled web page that initiates the WebSocket connection from the victim's browser, making user interaction a necessary part of the attack chain. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions beyond the DNS rebinding setup; no race conditions or memory-layout dependencies are involved.

What is the impact of CVE-2026-53869?

Crashes or renders the Hermes Agent service unavailable, disrupting any terminal sessions or event streams depending on the /api/pty, /api/ws, /api/pub, and /api/events endpoints. Injects malicious commands into an active terminal session via the /api/pty WebSocket endpoint. Reads live terminal output streamed over /api/pty or /api/events without authorization.

Back to search

HIGHCVE-2026-53869Published 2026-06-17Modified 2026-06-17CNA VulnCheck

CVE-2026-53869: Hermes Agent < 0.16.0 - DNS Rebinding Bypass via WebSocket Endpoints

Q: What is CVE-2026-53869?

A DNS rebinding vulnerability in Hermes Agent before 0.16.0 allows remote attackers to bypass Host and Origin header validation on WebSocket endpoints. The FastAPI HTTP middleware responsible for enforcing those checks is skipped entirely for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events, so an attacker who can trick a user's browser into connecting to a rebinded hostname gains unauthenticated access to those endpoints. Successful exploitation crashes or disrupts the affected agent service (CVSS availability impact: High). A patched-image rebuild at version 0.16.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-53869 fixed?

A patched-image rebuild at Hermes Agent 0.16.0 becomes available on HarborGuard once the fix version is confirmed in upstream metadata. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling attackers to exploit DNS rebinding and inject malicious commands or read terminal output.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 0.16.0
Affected Products: 1

HarborGuard Analysis

Synopsis

A DNS rebinding vulnerability in Hermes Agent before 0.16.0 allows remote attackers to bypass Host and Origin header validation on WebSocket endpoints. The FastAPI HTTP middleware responsible for enforcing those checks is skipped entirely for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events, so an attacker who can trick a user's browser into connecting to a rebinded hostname gains unauthenticated access to those endpoints. Successful exploitation crashes or disrupts the affected agent service (CVSS availability impact: High). A patched-image rebuild at version 0.16.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53869 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Hermes Agent. Any image tag carrying a Hermes Agent version below 0.16.0 will surface as affected in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (High severity) and weights it against each environment's compliance policy to determine escalation priority. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Hermes Agent 0.16.0 becomes available on HarborGuard once the fix version is confirmed in upstream metadata. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Hermes Agent service over the network; the WebSocket endpoints are exposed via HTTP upgrade requests and the DNS rebinding technique requires the victim's browser to connect outbound to an attacker-controlled hostname that rebinds to the agent's IP.
AuthenticationNot required
No credentials are needed; the middleware bypass means the attacker skips Host and Origin validation entirely without presenting any account or token.
Victim interactionRequired
The DNS rebinding technique requires a victim to visit an attacker-controlled web page that initiates the WebSocket connection from the victim's browser, making user interaction a necessary part of the attack chain.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions beyond the DNS rebinding setup; no race conditions or memory-layout dependencies are involved.

Blast Radius

Crashes or renders the Hermes Agent service unavailable, disrupting any terminal sessions or event streams depending on the /api/pty, /api/ws, /api/pub, and /api/events endpoints.
Injects malicious commands into an active terminal session via the /api/pty WebSocket endpoint.
Reads live terminal output streamed over /api/pty or /api/events without authorization.

How HarborGuard Handles This

Available on HarborGuard: images containing Hermes Agent versions below 0.16.0 are flagged automatically as each registry and pipeline scan completes. A rebuilt image at version 0.16.0 is made available for affected environments once upstream package metadata confirms the fix. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes a regression run against the patched image, and opens a PR against affected workloads; for High-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Customers who manage remediation manually will find the affected image tags, endpoint details, and fix version listed in the finding detail view for direct action.

See how HarborGuard automates this

Fix available

0.16.0

Patch commits

Patch Commit

Affected packages

NousResearch / hermes-agent
< 0.16.0 (from 0)
Fixed in 0.16.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available