CVE-2026-7022 - Vulnerability Details

- SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication

Description

A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-26

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in SmythOS sre allows attackers to manipulate the X-DEBUG-RUN and X-DEBUG-INJ HTTP headers, causing the AgentRuntime component to skip or incorrectly verify authentication. This results in an authentication bypass that can be exploited to gain unauthorized access to protected resources. The weakness originates from insufficient validation of custom header values, corresponding to CWE-287.

Affected Systems

SmythOS sre versions up to and including 0.0.15 are affected. The vulnerability resides in the AgentRuntime functionality of the HTTP Header Handler.

Risk and Exploitability

The flaw carries a CVSS score of 6.9, indicating moderate severity, and has an EPSS score of less than one percent, suggesting a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. However, the vendor has not released a fix, and the vulnerability can be triggered externally by sending crafted HTTP requests, so defenders should treat it as a potential threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SmythOS

sre

affected

Version	Status	Constraints
`0.0.1`	affected	—
`0.0.2`	affected	—
`0.0.3`	affected	—
`0.0.4`	affected	—
`0.0.5`	affected	—
`0.0.6`	affected	—
`0.0.7`	affected	—
`0.0.8`	affected	—
`0.0.9`	affected	—
`0.0.10`	affected	—
`0.0.11`	affected	—
`0.0.12`	affected	—
`0.0.13`	affected	—
`0.0.14`	affected	—
`0.0.15`	affected	—

No data.

Vendor Product Confidence Versions

Smythos

Sre

100%

Version	Status	Scheme	Platform
`0.0.1`	affected	semver	—
`0.0.2`	affected	semver	—
`0.0.3`	affected	semver	—
`0.0.4`	affected	semver	—
`0.0.5`	affected	semver	—
`0.0.6`	affected	semver	—
`0.0.7`	affected	semver	—
`0.0.8`	affected	semver	—
`0.0.9`	affected	semver	—
`0.0.10`	affected	semver	—
`0.0.11`	affected	semver	—
`0.0.12`	affected	semver	—
`0.0.13`	affected	semver	—
`0.0.14`	affected	semver	—
`0.0.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Configure the web server or reverse proxy to block or strip the X-DEBUG-RUN and X-DEBUG-INJ headers from incoming requests.
Monitor vendor communications for an official patch and apply it when available.
If an unofficial community patch becomes available, test it in a non‑production environment before deploying.

Generated by OpenCVE AI on April 28, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/YLChen-007/c6a4a6a5f4c8b9e758f72c07ca0cd30d
https://vuldb.com/submit/797643
https://vuldb.com/vuln/359601
https://vuldb.com/vuln/359601/cti

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Smythos Smythos sre
Vendors & Products		Smythos Smythos sre

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 26 Apr 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication
Weaknesses		CWE-287
References		https://gist.github.com/YLChen-007/c6a4a6a5f4c8b9e758f72c07ca0cd30d https://vuldb.com/submit/797643 https://vuldb.com/vuln/359601 https://vuldb.com/vuln/359601/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Smythos Sre

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-26T05:45:11.931Z

Updated: 2026-04-27T13:52:30.369Z

Reserved: 2026-04-25T13:52:25.805Z

Link: CVE-2026-7022

Vulnrichment

Updated: 2026-04-27T13:52:25.212Z

NVD

Status : Deferred

Published: 2026-04-26T06:16:02.210

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7022

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object