CVE-2026-7022 | SmythOS sre up to 0.0.15 HTTP Header AgentRuntime.class.ts AgentRuntime X-DEBUG-RUN/X-DEBUG-INJ improper authentication

A vulnerability labeled as critical has been found in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication.

This vulnerability is referenced as CVE-2026-7022. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-7022 | SmythOS sre up to 0.0.15 HTTP Header AgentRuntime.class.ts AgentRuntime X-DEBUG-RUN/X-DEBUG-INJ improper authentication

Post correlati

CVE-2024-25154 | Fortra FileCatalyst up to 3.8.8 URL Validation path traversal

CVE-2024-22017 | Node.js up to 20.11.0 io_uring setuid privilege dropping / lowering errors

CVE-2026-32270 | Craft CMS up to 4.10.2/5.5.4 actionPay email/shipping address/billing address information disclosure (GHSA-3vxg-x5f8-f5qf)

CVE-2024-5639 | User Profile Picture Plugin up to 2.6.1 on WordPress resource injection