CVE-2026-7022

Summary

A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
SmythOSsre0.0.1affected
SmythOSsre0.0.2affected
SmythOSsre0.0.3affected
SmythOSsre0.0.4affected
SmythOSsre0.0.5affected
SmythOSsre0.0.6affected
SmythOSsre0.0.7affected
SmythOSsre0.0.8affected
SmythOSsre0.0.9affected
SmythOSsre0.0.10affected
SmythOSsre0.0.11affected
SmythOSsre0.0.12affected
SmythOSsre0.0.13affected
SmythOSsre0.0.14affected
SmythOSsre0.0.15affected

Weaknesses

  • CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References