CVE-2026-7022 in SmythOS sre allows remote authentication bypass through debug headers
CVE-2026-7022 affects SmythOS sre up to version 0.0.15 and lets a remote attacker manipulate the X-DEBUG-RUN and X-DEBUG-INJ headers to influence authentication in the AgentRuntime path. The flaw is rated 7.3 under CVSS 3.1 and was published by NVD on 2026-04-26.
The vulnerability sits in the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts, specifically in the HTTP Header Handler component. According to the source material, the exploit was disclosed publicly, may already be used, and the vendor was contacted early but did not respond.
The issue matters because the affected logic ties access control to client-controlled request headers. When a service treats a header as a signal for privileged behavior, a remote request can alter authentication flow without needing a local foothold. The record also maps the weakness to CWE-287, which is improper authentication.
The disclosed details show that the attack does not require physical access and can be launched remotely against reachable SmythOS sre endpoints. The stated impact is unauthorized access through authentication bypass or weakening, with the CVSS 3.1 vector showing network attack, low complexity, no privileges required, and no user interaction required.
The product status lists versions 0.0.1 through 0.0.15 as affected, while the record also notes that NVD enrichment efforts were not prioritized for this CVE. That combination leaves users with a published advisory, public exploit disclosure, and no vendor response in the material provided.
The technical path is narrow but serious: debug-related headers reach the AgentRuntime authentication logic and change how the application decides whether a request should be trusted. That is why this flaw aligns with improper authentication rather than a general runtime bug.
Possible steps
- Restrict access to SmythOS sre endpoints so only trusted sources can reach them.
- Block or strip X-DEBUG-RUN and X-DEBUG-INJ headers at the network boundary.
- Review any deployment that exposes the HTTP Header Handler to untrusted networks.
- Monitor logs for requests carrying debug-related headers and unusual authentication success.
- Track vendor and advisory updates for a confirmed remediation or patched version.
The record says the exploit has been disclosed publicly and may be used, which raises the value of limiting exposure before any official remediation appears. It also states that the vendor was contacted early about the disclosure but did not respond in any way, so users should not wait for a correction that is not yet documented here.
The CVSS 3.1 score of 7.3 places the flaw in the high severity range, while the CVSS 4.0 data in the record lists a lower base score of 6.9. Even with that difference, the core issue remains the same: remote authentication influence through attacker-supplied headers in an exposed service path.
The record also identifies the vulnerability as published by NVD and references VulDB as the CNA source, with the advisory data centered on improper authentication. For administrators running SmythOS sre versions up to 0.0.15, the practical concern is whether the service is reachable and whether header-based control paths are exposed to untrusted traffic.
Šaltiniai: nvd.nist.gov, cve.org, codeant.ai, GitHub Advisories, radar.offseq.com
Report an issue
What's wrong with this guide? We review every report and update or remove content.
Report received — thank you. We'll review and fix it.
You need a free account to submit a report.
Be the first to comment