CVE-2026-53869

🗓️ 17 Jun 2026 17:57:30Reported by VulnCheckType

CVE-2026-53869 : Hermes Agent prior to 0.16.0 has a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. The FastAPI HTTP middleware is not executed for WebSocket upgrade requests on...

Reporter	Title	Published	Views	Family All 5
Circl	CVE-2026-53869	17 Jun 202621:52	–	circl
Cvelist	CVE-2026-53869 Hermes Agent < 0.16.0 - DNS Rebinding Bypass via WebSocket Endpoints	17 Jun 202617:57	–	cvelist
EUVD	EUVD-2026-37774	17 Jun 202617:57	–	euvd
NVD	CVE-2026-53869	17 Jun 202619:18	–	nvd
Positive Technologies	PT-2026-50518	17 Jun 202600:00	–	ptsecurity

Vulners

Node

nousresearch hermes-agentRange0–0.16.0

[
  {
    "vendor": "NousResearch",
    "product": "hermes-agent",
    "defaultStatus": "unaffected",
    "packageURL": "pkg:npm/hermes-agent",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "versionType": "semver",
        "lessThan": "0.16.0"
      },
      {
        "version": "0.16.0",
        "status": "unaffected",
        "versionType": "semver"
      }
    ],
    "repo": "https://github.com/NousResearch/hermes-agent"
  }
]

Source	Link
vulncheck	www.vulncheck.com/advisories/hermes-agent-dns-rebinding-bypass-via-websocket-endpoints
github	www.github.com/NousResearch/hermes-agent/commit/d9ec90585cf7616b5972e44cf8d92bb569fc3feb
github	www.github.com/NousResearch/hermes-agent/releases/tag/v2026.6.5
github	www.github.com/NousResearch/hermes-agent/pull/30221
github	www.github.com/NousResearch/hermes-agent/pull/31685

17 Jun 2026 20:21Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.17.5

CVSS 48.7

CWE-306