CVE-2026-11461 Overview
CVE-2026-11461 is an authorization bypass vulnerability [CWE-285] affecting NousResearch hermes-agent versions up to 0.12.0. The flaw resides in the resolve_session_by_title function in hermes_state.py, which serves the resume Endpoint. An authenticated attacker can manipulate the Title argument to bypass authorization checks and access sessions belonging to other users. The attack is exploitable over the network and requires only low-level privileges. A public proof-of-concept has been disclosed, and the vendor did not respond to disclosure attempts.
Critical Impact
Remote authenticated attackers can bypass authorization controls in the resume Endpoint and access agent sessions belonging to other users, breaching tenant isolation in hermes-agent deployments.
Affected Products
- NousResearch hermes-agent versions up to and including 0.12.0
- The resolve_session_by_title function in hermes_state.py
- The resume Endpoint component of hermes-agent
Discovery Timeline
- 2026-06-07 - CVE-2026-11461 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-11461
Vulnerability Analysis
The vulnerability is an authorization bypass classified under [CWE-285] Improper Authorization. The resolve_session_by_title function in hermes_state.py resolves agent sessions using a user-supplied Title argument. The function does not adequately verify that the requesting principal owns or has rights to the session identified by that title. An attacker with valid low-privilege credentials can submit a crafted Title value through the resume Endpoint to retrieve or resume sessions associated with other users.
The network-accessible attack surface and low complexity make exploitation straightforward once an attacker holds any authenticated foothold. Public proof-of-concept material has been published on GitHub Gist, increasing the likelihood of opportunistic abuse. The EPSS probability is 0.043% as of 2026-06-11, reflecting low observed exploitation pressure to date.
Root Cause
The root cause is missing or insufficient authorization checks in resolve_session_by_title. The function trusts the Title parameter as a session selector without correlating it to the authenticated principal. Session lookup based on a non-unique, user-controlled identifier without an owner predicate enables cross-account access.
Attack Vector
An attacker authenticates to the hermes-agent instance with any valid low-privilege account. The attacker then sends a request to the resume Endpoint supplying a Title value that matches a session belonging to another user. Because resolve_session_by_title does not enforce ownership, the server returns or resumes the targeted session under the attacker's context.
The vulnerability does not require user interaction and is reachable remotely. No verified exploit code is reproduced here. Refer to the published proof-of-concept material in the GitHub Gist PoC Repository and the VulDB CVE-2026-11461 entry for technical details.
Detection Methods for CVE-2026-11461
Indicators of Compromise
- Requests to the resume Endpoint where the Title parameter does not match any session previously created by the requesting account.
- Successful session resume operations followed by activity inconsistent with the authenticated user's historical behavior.
- Repeated resume Endpoint calls iterating through plausible Title values from a single low-privileged account.
Detection Strategies
- Instrument resolve_session_by_title call sites to log the requesting principal, the supplied Title, and the resolved session owner, then alert when the principal and owner differ.
- Correlate authentication logs with resume Endpoint access to identify accounts touching sessions outside their normal scope.
- Apply anomaly detection on the ratio of resume Endpoint requests to session creation events per account.
Monitoring Recommendations
- Forward hermes-agent application logs to a centralized analytics platform and retain at least 90 days of resume Endpoint activity.
- Build dashboards tracking cross-account session access attempts, failed authorization decisions, and high-volume Title enumeration.
- Alert on any administrative or sensitive sessions being resumed by accounts that did not create them.
How to Mitigate CVE-2026-11461
Immediate Actions Required
- Restrict network exposure of hermes-agent instances to trusted users and networks until a patched release is available.
- Audit existing accounts and rotate credentials for any low-privilege accounts that may have been used to enumerate sessions.
- Review resume Endpoint access logs for cross-account Title lookups and investigate any matches.
Patch Information
No vendor patch is referenced in the available advisory data. The vendor did not respond to disclosure attempts according to the VulDB CVE-2026-11461 entry. Track the upstream hermes-agent repository for fixed releases beyond version 0.12.0.
Workarounds
- Place hermes-agent behind an authenticating reverse proxy that enforces per-user scoping on the resume Endpoint based on the authenticated identity.
- Implement an application-layer wrapper that verifies the session owner returned by resolve_session_by_title matches the requesting principal before completing the resume operation.
- Disable the resume Endpoint in deployments where session resumption is not required by operational workflows.
# Configuration example
# Reverse proxy rule to block cross-account Title lookups until patched
# (deny resume Endpoint access to non-admin principals)
location /resume {
auth_request /auth/validate;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

