PatchSiren cyber security CVE debrief
CVE-2026-53869 NousResearch CVE debrief
CVE-2026-53869 is a high-severity DNS rebinding vulnerability in Hermes Agent before 0.16.0. The vulnerability allows remote attackers to bypass Host and Origin validation via WebSocket endpoints. Specifically, the FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints. This enables attackers to exploit DNS rebinding and inject malicious commands or read terminal output. The vulnerability has a CVSS score of 8.7 and is considered HIGH severity. Organizations using Hermes Agent should take immediate action to mitigate this vulnerability.
- Vendor
- NousResearch
- Product
- hermes-agent
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
Organizations using Hermes Agent before version 0.16.0 should prioritize patching this vulnerability to prevent potential attacks. This includes teams responsible for maintaining and securing infrastructure that utilizes Hermes Agent.
Technical summary
The vulnerability exists in the WebSocket endpoints of Hermes Agent, specifically on /api/pty, /api/ws, /api/pub, and /api/events. The FastAPI HTTP middleware does not execute for WebSocket upgrade requests on these endpoints, allowing attackers to bypass Host and Origin validation. This can be exploited through DNS rebinding attacks, enabling malicious command injection or terminal output reading.
Defensive priority
high
Recommended defensive actions
- Upgrade Hermes Agent to version 0.16.0 or later
- Implement additional security measures to monitor and restrict WebSocket traffic
- Conduct regular vulnerability assessments and penetration testing
- Ensure proper configuration and hardening of FastAPI HTTP middleware
- Monitor for suspicious activity and implement incident response plans
Evidence notes
The information provided is based on data from the National Vulnerability Database (NVD) and other reliable sources. The vulnerability details and CVSS score are subject to change as new information becomes available.
Official resources
public