CVE-2026-7113
Received Received - Intake
Authentication Bypass in NousResearch Hermes-Agent Webhooks Endpoint

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitation is known to be difficult. The exploit has been made public and could be used. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7113
EUVD
EUVD-2026-25818
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nousresearch hermes-agent 0.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7113 is a vulnerability in the NousResearch hermes-agent version 0.8.0, specifically in the webhook component. It occurs when the special configuration value INSECURE_NO_AUTH is used, which disables authentication for incoming webhook POST requests. This allows attackers to bypass HMAC signature verification and send unauthenticated requests to the webhook endpoint.

Because of this, an attacker can remotely execute arbitrary code on the host system by sending crafted requests to the webhook. The vulnerability arises from improper authentication handling, and no warnings were originally emitted when this insecure mode was enabled, allowing silent exploitation.

A fix requires an explicit opt-in by setting an environment variable (HERMES_ALLOW_INSECURE_WEBHOOKS=1) to enable this insecure mode, along with warnings to alert administrators, preventing accidental insecure deployments.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated remote code execution on the affected system. An attacker who can reach the webhook endpoint can execute arbitrary terminal commands, read or write files, and access APIs without any authentication.

Such unauthorized access can lead to full system compromise, data theft, data manipulation, or disruption of services. Since the attack can be launched remotely, it poses a significant risk to any deployment exposing the vulnerable webhook endpoint.

Detection Guidance

This vulnerability can be detected by checking if any webhook routes are configured with the secret value "INSECURE_NO_AUTH", which disables authentication and allows unauthenticated remote code execution.

One way to detect exploitation attempts is to monitor POST requests to the webhook endpoints (e.g., /webhooks/{route_name}) that contain suspicious payloads or commands.

A practical detection method is to look for webhook routes configured with the insecure secret or environment variable settings that enable this mode.

  • Check configuration files or environment variables for the presence of "INSECURE_NO_AUTH" or if the environment variable HERMES_ALLOW_INSECURE_WEBHOOKS=1 is set.
  • Use network monitoring tools or logs to identify POST requests to webhook endpoints that bypass authentication.
  • Example command to search for the insecure secret in configuration files: `grep -r "INSECURE_NO_AUTH" /path/to/hermes-agent/config/`
  • Example command to check environment variables: `printenv | grep HERMES_ALLOW_INSECURE_WEBHOOKS`
  • Monitor incoming webhook POST requests with tools like tcpdump or Wireshark filtering on the webhook endpoint paths.
Mitigation Strategies

To mitigate this vulnerability, ensure that the insecure mode allowing unauthenticated webhook access is not enabled in your deployment.

Specifically, do not configure any webhook route with the secret value "INSECURE_NO_AUTH" unless you explicitly set the environment variable HERMES_ALLOW_INSECURE_WEBHOOKS=1 at startup.

If the environment variable is not set, the system will raise an error preventing the insecure configuration from being used.

Additionally, review your webhook configurations to remove any routes that bypass authentication.

Monitor for any warnings emitted by the system regarding the use of insecure webhook settings.

Apply any available patches or updates from the Hermes-agent project that enforce these security checks.

Compliance Impact

The vulnerability CVE-2026-7113 allows unauthenticated remote code execution by bypassing authentication on webhook endpoints. This can lead to unauthorized access to sensitive data and systems.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Specifically, the ability for attackers to execute arbitrary commands and access files without authentication increases the risk of data exposure, manipulation, or loss, which are critical compliance concerns under these regulations.

Therefore, if this vulnerability is exploited in a production environment, it could lead to violations of regulatory requirements related to data security and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7113. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart