MEDIUM 6.3

CVE-2026-11461: hermes-agent Authorization Bypass in Resume Endpoint

NousResearch's hermes-agent contains a flaw that allows an authenticated user to bypass authorization checks by manipulating the 'Title' argument in the resume endpoint. An attacker with valid login credentials can access or modify information they shouldn't have permission to reach. The vulnerability affects versions up to 0.12.0, is remotely exploitable, and exploit details have been publicly disclosed.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-285, CWE-639
Affected products
0 configuration(s)
Published / Modified
2026-06-07 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolve_session_by_title of the file hermes_state.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the resolve_session_by_title function within hermes_state.py, which handles the resume endpoint. The authorization mechanism fails to properly validate that the authenticated user has the appropriate permissions to access the session identified by the Title parameter. This allows an authenticated attacker to bypass access controls (CWE-285) and manipulate authorization decisions (CWE-639), potentially reading or modifying data belonging to other users or sessions.

Business impact

Organizations deploying hermes-agent may face data confidentiality and integrity risks. Authenticated users with basic access could view sensitive information from other sessions or users, or alter configuration and state data. The impact scales with deployment scope—if hermes-agent is used for internal automation, session management, or data handling, unauthorized data access could expose proprietary workflows, configurations, or user information. Integrity compromise could disrupt system operations or alter audit trails.

Affected systems

NousResearch hermes-agent versions up to and including 0.12.0 are vulnerable. The affected component is the resume endpoint accessible through the resolve_session_by_title function. Any deployment running hermes-agent 0.12.0 or earlier with the resume endpoint active and user authentication enabled is at risk. Verify your installed version against NousResearch's repository or release notes.

Exploitability

This vulnerability requires an authenticated attacker (PR:L in the CVSS vector) to exploit; however, the barrier is low if an organization has multiple users or service accounts. The attack is remotely accessible and requires no special conditions or user interaction. Public disclosure of exploit details increases practical risk, as attack code may be incorporated into automated scanning tools or used by less-sophisticated threat actors. The combination of low complexity and remote accessibility makes exploitation straightforward for anyone with valid credentials.

Remediation

Upgrade hermes-agent to a version after 0.12.0 as soon as a patched release becomes available. Verify the fix is included in release notes before deploying. In the interim, implement compensating controls: restrict network access to the resume endpoint to trusted IP ranges, limit user account creation to essential personnel, monitor session-related API calls for anomalous patterns (especially unusual Title parameter values), and enforce regular password rotation for accounts with hermes-agent access.

Patch guidance

Check the NousResearch hermes-agent GitHub repository or official release channel for versions after 0.12.0 that address authorization in the resolve_session_by_title function. Verify patch release notes explicitly mention the fix for CWE-285 and CWE-639. Test the patched version in a non-production environment to confirm the resume endpoint still functions correctly and authorization checks now properly validate user permissions. Upgrade all instances in your environment simultaneously to avoid inconsistent security posture.

Detection guidance

Monitor application logs for resume endpoint requests with unusual or suspicious Title parameter values, especially requests from users accessing sessions outside their normal scope. Look for repeated failed authorization attempts on the resume endpoint or successful accesses followed by data export/modification. If authentication logs are available, correlate resume endpoint calls with user identity to identify cross-user session access. Network-level detection should flag a single authenticated user making resume requests for a high volume of distinct sessions in short timeframes, which may indicate enumeration or abuse.

Why prioritize this

While CVSS 6.3 (MEDIUM) reflects the requirement for prior authentication, the combination of public exploit disclosure and the practical risk of credential compromise (especially in environments with service accounts or shared credentials) elevates priority. Authorization bypass vulnerabilities are frequently leveraged in post-compromise scenarios where an attacker has already obtained one set of credentials. The lack of vendor response suggests patched versions may not be available immediately, making swift detection and access restriction critical. Organizations should prioritize this within their MEDIUM-severity backlog.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects low attack complexity, remote network accessibility, and the requirement for a low-privilege authenticated user. Confidentiality, Integrity, and Availability impacts are each rated as LOW, meaning the attacker gains access to some but not all sensitive information, can modify some but not all data, and can degrade some but not complete system availability. The score is tempered by the authentication requirement; however, in practice, if multiple users or service accounts exist in a deployment, the effective risk is higher. Organizations with restrictive network access or single-user deployments may assess differently.

Frequently asked questions

Do we need credentials to exploit this vulnerability?

Yes, the attacker must have valid authentication credentials (a username and password or equivalent) to access the hermes-agent system. However, once authenticated, they can manipulate the Title parameter to access other users' sessions without additional authorization checks. This is why credential hygiene and account isolation are critical interim mitigations.

Is this vulnerability included in CISA's Known Exploited Vulnerabilities (KEV) catalog?

No, CVE-2026-11461 is not currently listed in CISA's KEV catalog. However, public exploit details have been disclosed, which increases the likelihood of future active exploitation. Security teams should not use the lack of KEV status as a reason to deprioritize patching.

What versions of hermes-agent are safe?

Versions after 0.12.0 are expected to be safe, pending vendor confirmation. Verify the exact fixed version in NousResearch's release notes before upgrading. If no patched version has been released, remain on 0.12.0 with compensating controls until a fix is available.

Can this vulnerability be exploited from outside the network?

Yes, the vulnerability is remotely exploitable (AV:N in the CVSS vector). If your hermes-agent instance is accessible over the internet or an untrusted network, it can be attacked remotely by anyone with valid credentials. If you can restrict network access to trusted IP ranges, do so immediately as a temporary mitigation.

This analysis is provided for informational purposes and reflects the state of publicly available information as of the published date. Specific version numbers, patch availability, and mitigation strategies should be verified against official NousResearch advisories and your organization's security policies. SEC.co makes no warranty regarding the accuracy of third-party vendor information or the efficacy of recommended mitigations. Security teams must conduct their own testing and risk assessment before deploying patches or configuration changes in production environments. This is not legal or professional security advice; consult your internal security and engineering teams for decisions specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).