CVE-2026-11461

An attacker can remotely trigger the vulnerability by sending a crafted request to the /resume endpoint with a victim's session title. The `resolve_session_by_title` function in `hermes_state.py` is called without any user identity context. This allows any user to bypass authorization and hijack another user's session by guessing or knowing their session title [ref_id=1]. The attack requires no elevated privileges and can be launched from any platform [ref_id=1].

The vulnerability lies within the `resolve_session_by_title` and `get_session_by_title` functions in `hermes_state.py`. These functions execute SQL queries that lack user ID or source constraints, making all sessions accessible by title alone. The `_handle_resume_command` in `gateway/run.py` and the `_resolve_session_by_name_or_id` in `hermes_cli/main.py` call these vulnerable functions without passing the necessary identity context [ref_id=1].

The advisory does not specify any patches or remediation steps. It states that no versions have been patched. Therefore, the vulnerability remains unaddressed in the affected versions.

1. Ensure a running Hermes Agent installation with a shared SQLite session database. 2. Execute the provided Python PoC script (`poc_exploit_minimal.py`) from a directory where `hermes_state` is importable. 3. Observe that the script successfully resolves a victim's session ID using a guessed session title and gains read/write access to the hijacked conversation [ref_id=1].