SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication_CVE-2026-7022

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-7022

Source VulDB

Published Apr 26, 2026 at 05:45

Affected Product

Vendor SmythOS

Product sre

Version 0.0.1

Affected Versions SmythOS sre 0.0.1
SmythOS sre 0.0.2
SmythOS sre 0.0.3
SmythOS sre 0.0.4
SmythOS sre 0.0.5
SmythOS sre 0.0.6
SmythOS sre 0.0.7
SmythOS sre 0.0.8
SmythOS sre 0.0.9
SmythOS sre 0.0.10
SmythOS sre 0.0.11
SmythOS sre 0.0.12
SmythOS sre 0.0.13
SmythOS sre 0.0.14
SmythOS sre 0.0.15

CWE Classification

CWE-287

References

{
    "lastseen": "",
    "description": "A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-04-26T05:45:11.931Z",
    "modified": "2026-04-26T05:45:11.931Z",
    "type": "cve",
    "title": "SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/359601\nhttps://vuldb.com/vuln/359601/cti\nhttps://vuldb.com/submit/797643\nhttps://gist.github.com/YLChen-007/c6a4a6a5f4c8b9e758f72c07ca0cd30d",
    "id": "CVE-2026-7022",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "SmythOS sre 0.0.1\nSmythOS sre 0.0.2\nSmythOS sre 0.0.3\nSmythOS sre 0.0.4\nSmythOS sre 0.0.5\nSmythOS sre 0.0.6\nSmythOS sre 0.0.7\nSmythOS sre 0.0.8\nSmythOS sre 0.0.9\nSmythOS sre 0.0.10\nSmythOS sre 0.0.11\nSmythOS sre 0.0.12\nSmythOS sre 0.0.13\nSmythOS sre 0.0.14\nSmythOS sre 0.0.15",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "sre",
    "version": "0.0.1",
    "vendor": "SmythOS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}