PatchSiren cyber security CVE debrief
CVE-2026-11461 NousResearch CVE debrief
CVE-2026-11461 is an authorization bypass vulnerability in NousResearch hermes-agent up to 0.12.0. The vulnerability affects the resolve_session_by_title function of the hermes_state.py file in the resume endpoint. Attackers can exploit this vulnerability remotely, and the exploit has been publicly disclosed.
- Vendor
- NousResearch
- Product
- hermes-agent
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-07
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-07
- Advisory updated
- 2026-06-09
Who should care
Users of NousResearch hermes-agent up to version 0.12.0 should apply patches or mitigations to prevent exploitation of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 2.1 and is classified as LOW severity. It allows for authorization bypass via manipulation of the Title argument in the resolve_session_by_title function of hermes_state.py. The vulnerability can be exploited remotely.
Defensive priority
LOW
Recommended defensive actions
- Apply patches or updates for NousResearch hermes-agent to version 0.12.0 or later.
- Restrict access to the resume endpoint.
- Monitor for suspicious activity on the affected system.
Evidence notes
The CVE record was published on [resourceLinkAnnotations:cve-org] and additional details can be found on [resourceLinkAnnotations:nvd].
Official resources
CVE-2026-11461 was published on 2026-06-07T22:16:22.547Z and modified on 2026-06-09T16:16:37.010Z.