Vulnerabilities ›

CVE-2026-7113

Medium

CWE-287 — Weakness Type

                    Published: Apr 27, 2026                      ·  Modified: Apr 30, 2026                      ·  Source: NVD                

CVSS v3

5.6

🔗 NVD Official

📄 Description (English)

A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitation is known to be difficult. The exploit has been made public and could be used. The project was informed of the problem early through a pull request but has not reacted yet.

🤖 AI Executive Summary

CVE-2026-7113 is a missing authentication vulnerability in NousResearch hermes-agent 0.8.0's webhook endpoint that allows remote attackers to bypass authentication through manipulation of the _INSECURE_NO_AUTH parameter. The vulnerability requires high complexity to exploit but poses a risk to systems using this component for webhook processing.

📄 Description (Arabic)

يؤثر هذا الضعف على مكون webhook في hermes-agent 0.8.0 حيث يمكن للمهاجمين تجاوز آليات المصادقة عن بعد من خلال معالجة معامل _INSECURE_NO_AUTH. على الرغم من أن الاستغلال يتطلب مستوى تعقيد عالي، فإن الثغرة معروفة علناً وقد تم نشر استغلالات لها.

🤖 ملخص تنفيذي (AI)

A missing authentication flaw exists in hermes-agent 0.8.0 affecting the webhook endpoint, allowing remote bypass of authentication controls through parameter manipulation. This medium-severity vulnerability requires sophisticated exploitation techniques but could enable unauthorized access to webhook functionality.

🤖 AI Intelligence Analysis Analyzed: May 24, 2026 23:08

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

government telecom banking

🎯 MITRE ATT&CK Techniques

T1190 T1133

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update NousResearch hermes-agent to a patched version beyond 0.8.0 immediately. Implement network-level access controls restricting webhook endpoint access to trusted sources only. Review and disable the _INSECURE_NO_AUTH parameter in production environments. Monitor webhook logs for suspicious authentication bypass attempts.

🔧 خطوات المعالجة (العربية)

قم بتحديث NousResearch hermes-agent إلى إصدار مصحح يتجاوز 0.8.0 فوراً. طبق عناصر تحكم في الوصول على مستوى الشبكة تقيد الوصول إلى نقطة نهاية webhook للمصادر الموثوقة فقط. راجع وعطل معامل _INSECURE_NO_AUTH في بيئات الإنتاج. راقب سجلات webhook للمحاولات المريبة لتجاوز المصادقة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2

🔵 SAMA CSF

AC-2 AC-3

🟡 ISO 27001:2022

A.9.2.1 A.9.4.3

🔗 References & Sources 6

🔗

https://github.com/NousResearch/hermes-agent/

cna@vuldb.com

🔗

https://github.com/NousResearch/hermes-agent/issues/6440

cna@vuldb.com

🔗

https://github.com/NousResearch/hermes-agent/pull/6445

cna@vuldb.com

🔗

https://vuldb.com/submit/800802

cna@vuldb.com

🔗

https://vuldb.com/vuln/359713

cna@vuldb.com

🔗

https://vuldb.com/vuln/359713/cti

cna@vuldb.com

📊 CVSS Score

5.6

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score5.6

CWECWE-287

EPSS0.09%

Exploit No

Patch ✗ No

Published 2026-04-27

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-287

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-7113

Introduce Yourself

Sign In Required