CVE-2026-7022

Name of the Vulnerable Software and Affected Versions SmythOS sre versions prior to 0.0.16

Description Improper authentication can be triggered remotely via the HTTP Header Handler component. Specifically, manipulating the X-DEBUG-RUN or X-DEBUG-INJ arguments within the AgentRuntime() function located in the packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts file allows for this issue.

Recommendations As a temporary workaround, restrict or disable the use of the X-DEBUG-RUN and X-DEBUG-INJ arguments in the HTTP Header Handler until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.