CVE-2026-53869

Name of the Vulnerable Software and Affected Versions Hermes Agent versions prior to 0.16.0

Description A DNS rebinding issue in WebSocket endpoints allows remote attackers to bypass Host and Origin validation. This occurs because FastAPI HTTP middleware does not execute for WebSocket upgrade requests on the ' /api/pty', '/api/ws', '/api/pub', and '/api/events' endpoints. DNS rebinding is a technique where a malicious website tricks a browser into sending requests to a local or internal server by manipulating DNS records. This flaw enables attackers to inject malicious commands or read terminal output.

Recommendations Update to version 0.16.0 or later.