CVE-2026-7113
Authentication Bypass in NousResearch Hermes-Agent Webhooks Endpoint
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nousresearch | hermes-agent | 0.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7113 is a vulnerability in the NousResearch hermes-agent version 0.8.0, specifically in the webhook component. It occurs when the special configuration value INSECURE_NO_AUTH is used, which disables authentication for incoming webhook POST requests. This allows attackers to bypass HMAC signature verification and send unauthenticated requests to the webhook endpoint.
Because of this, an attacker can remotely execute arbitrary code on the host system by sending crafted requests to the webhook. The vulnerability arises from improper authentication handling, and no warnings were originally emitted when this insecure mode was enabled, allowing silent exploitation.
A fix requires an explicit opt-in by setting an environment variable (HERMES_ALLOW_INSECURE_WEBHOOKS=1) to enable this insecure mode, along with warnings to alert administrators, preventing accidental insecure deployments.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows unauthenticated remote code execution on the affected system. An attacker who can reach the webhook endpoint can execute arbitrary terminal commands, read or write files, and access APIs without any authentication.
Such unauthorized access can lead to full system compromise, data theft, data manipulation, or disruption of services. Since the attack can be launched remotely, it poses a significant risk to any deployment exposing the vulnerable webhook endpoint.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if any webhook routes are configured with the secret value "INSECURE_NO_AUTH", which disables authentication and allows unauthenticated remote code execution.
One way to detect exploitation attempts is to monitor POST requests to the webhook endpoints (e.g., /webhooks/{route_name}) that contain suspicious payloads or commands.
A practical detection method is to look for webhook routes configured with the insecure secret or environment variable settings that enable this mode.
- Check configuration files or environment variables for the presence of "INSECURE_NO_AUTH" or if the environment variable HERMES_ALLOW_INSECURE_WEBHOOKS=1 is set.
- Use network monitoring tools or logs to identify POST requests to webhook endpoints that bypass authentication.
- Example command to search for the insecure secret in configuration files: `grep -r "INSECURE_NO_AUTH" /path/to/hermes-agent/config/`
- Example command to check environment variables: `printenv | grep HERMES_ALLOW_INSECURE_WEBHOOKS`
- Monitor incoming webhook POST requests with tools like tcpdump or Wireshark filtering on the webhook endpoint paths.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the insecure mode allowing unauthenticated webhook access is not enabled in your deployment.
Specifically, do not configure any webhook route with the secret value "INSECURE_NO_AUTH" unless you explicitly set the environment variable HERMES_ALLOW_INSECURE_WEBHOOKS=1 at startup.
If the environment variable is not set, the system will raise an error preventing the insecure configuration from being used.
Additionally, review your webhook configurations to remove any routes that bypass authentication.
Monitor for any warnings emitted by the system regarding the use of insecure webhook settings.
Apply any available patches or updates from the Hermes-agent project that enforce these security checks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-7113 allows unauthenticated remote code execution by bypassing authentication on webhook endpoints. This can lead to unauthorized access to sensitive data and systems.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.
Specifically, the ability for attackers to execute arbitrary commands and access files without authentication increases the risk of data exposure, manipulation, or loss, which are critical compliance concerns under these regulations.
Therefore, if this vulnerability is exploited in a production environment, it could lead to violations of regulatory requirements related to data security and privacy.