A serious security hole has been found in SmythOS, a software platform used to build and run automated AI agents. The flaw allows hackers to sneak past security locks by manipulating invisible messages hidden in web requests.
Think of it like a nightclub bouncer who checks a secret handshake at the door. Someone discovered that if you use the wrong handshake but add special words to your request, the bouncer lets you in anyway. In this case, the bouncer is SmythOS's security system, and the special words are custom HTTP headers called "X-DEBUG-RUN" and "X-DEBUG-INJ."
An attacker can remotely exploit this from anywhere on the internet. They don't need physical access or special software—just knowledge of how to craft the right web request. Once inside, they could access sensitive data, steal information, or control the system running the software.
The vulnerability affects SmythOS versions up to 0.0.15, which suggests this is relatively new software still in early development. The developers haven't publicly responded to the disclosure yet, meaning there's no official fix available. While there are no confirmed attacks happening right now, the vulnerability is publicly known, which increases the danger.
Companies and developers using SmythOS for production work—especially anything handling sensitive data or running automated business processes—are most at risk. This includes organizations building chatbots, data processing systems, or other AI-powered tools on this platform.
Here's what you should do: First, check if you're using SmythOS and, if so, upgrade immediately when a patched version becomes available. Second, contact the SmythOS team directly if you're a customer to ask about a timeline for fixes. Third, if you're not yet on SmythOS, hold off until this is resolved—it's simply not safe for critical work right now.
Want the full technical analysis? Click "Technical" above.
CVE-2026-7022 is an improper authentication vulnerability in the AgentRuntime class of SmythOS sre ≤ 0.0.15. The HTTP Header Handler inside AgentRuntime.class.ts processes two undocumented debug headers — X-DEBUG-RUN and X-DEBUG-INJ — and routes requests carrying these headers through an alternate execution path that skips authentication enforcement entirely. Because the runtime binds to a network interface and processes HTTP without mandatory credential validation on this code path, a remote, unauthenticated attacker can invoke agent execution primitives or inject payloads directly into a running agent's context.
CVSS 7.3 (HIGH) reflects network attackability, low complexity, no required privileges, and high impact on integrity and availability, with partial confidentiality impact depending on agent configuration.
Root cause:AgentRuntime's HTTP header dispatch branch evaluates X-DEBUG-RUN and X-DEBUG-INJ before the authentication middleware chain executes, allowing any remote caller to trigger privileged agent operations with no credentials.
The runtime's HTTP handler evaluates inbound headers early in the request lifecycle to support developer-mode debugging. The fatal mistake is that this evaluation happens before any authentication guard is applied. In reconstructed pseudocode derived from the component's described behavior:
// AgentRuntime.class.ts — HTTP request entry point (reconstructed pseudocode)
// Compiled TypeScript behavior represented in C-style pseudocode for clarity
typedef struct {
char *method;
char *path;
map_t *headers; // key-value header store
buffer_t *body;
} http_request_t;
typedef struct {
agent_context_t *ctx;
executor_t *exec;
auth_state_t *auth; // populated AFTER middleware runs
uint32_t flags;
} agent_runtime_t;
int AgentRuntime_handleRequest(agent_runtime_t *rt, http_request_t *req) {
// BUG: debug header check occurs BEFORE auth middleware is invoked
const char *debug_run = map_get(req->headers, "X-DEBUG-RUN");
const char *debug_inj = map_get(req->headers, "X-DEBUG-INJ");
if (debug_run != NULL) {
// BUG: no authentication check; rt->auth is still NULL here
return AgentRuntime_executeRun(rt, debug_run, req->body);
}
if (debug_inj != NULL) {
// BUG: attacker-controlled string injected directly into agent context
return AgentRuntime_injectPayload(rt->ctx, debug_inj, req->body);
}
// Auth middleware would have run here — but we never reach it
// for requests carrying either debug header
auth_result_t result = AuthMiddleware_verify(rt->auth, req);
if (result != AUTH_OK) {
return http_respond_401(req);
}
return AgentRuntime_dispatchNormal(rt, req);
}
The guard logic is structurally inverted. AuthMiddleware_verify is called only when neither debug header is present. Any request bearing X-DEBUG-RUN or X-DEBUG-INJ is dispatched immediately to privileged execution functions with rt->auth uninitialized (effectively null). AgentRuntime_executeRun accepts an agent run descriptor; AgentRuntime_injectPayload deserializes the header value and body directly into the live agent execution context.
Exploitation Mechanics
EXPLOIT CHAIN:
1. Identify a SmythOS sre instance listening on HTTP (default port varies
by deployment; commonly 3000, 8080, or 443 behind a reverse proxy).
2. Enumerate available agent IDs via unauthenticated /agents or /status
endpoint (separate information-disclosure issue common in dev builds).
3. Craft HTTP request with X-DEBUG-RUN header set to a target agent
descriptor. No Authorization or session cookie required:
POST /run HTTP/1.1
Host: target:3000
X-DEBUG-RUN: {"agentId":"","task":""}
Content-Type: application/json
{"input": ""}
4. AgentRuntime_handleRequest() reads X-DEBUG-RUN before auth check,
calls AgentRuntime_executeRun() with attacker-supplied descriptor.
5. Agent executes under its configured identity and permissions —
which may include filesystem access, outbound HTTP, code eval,
or LLM API calls billed to the victim's account.
6. For deeper injection, supply X-DEBUG-INJ with a serialized payload
targeting the agent's runtime context object:
X-DEBUG-INJ: {"override":"systemPrompt","value":""}
7. AgentRuntime_injectPayload() deserializes header + body directly
into agent_context_t, overwriting live fields (systemPrompt,
toolList, memoryStore) without sanitization.
8. Subsequent legitimate agent interactions now operate under
attacker-controlled context — persistent until agent restart.
While this is not a memory-corruption class bug, the agent_context_t object layout is relevant for understanding what AgentRuntime_injectPayload can overwrite. The following represents the runtime context structure as inferred from the component's described behavior:
CONTEXT STATE — normal authenticated request:
agent_context_t @ heap
+0x00 agentId -> "agent-uuid-1234"
+0x08 systemPrompt -> "You are a helpful assistant..."
+0x10 toolList -> [http_tool, file_tool, code_tool]
+0x20 credentialCtx -> { openai_key: "sk-...", ... }
+0x30 authState -> { userId: "legitimate-user", verified: true }
CONTEXT STATE — after X-DEBUG-INJ injection (no auth):
agent_context_t @ heap
+0x00 agentId -> "agent-uuid-1234" (unchanged)
+0x08 systemPrompt -> "You are a compromised agent..." <-- OVERWRITTEN
+0x10 toolList -> [http_tool, file_tool, code_tool] (attacker selects)
+0x20 credentialCtx -> { openai_key: "sk-...", ... } (accessible/exfiltrable)
+0x30 authState -> NULL <-- never populated on debug path
Patch Analysis
The correct fix moves the authentication middleware invocation to before any header-based dispatch. Debug header functionality should additionally be gated behind a compile-time or environment-variable flag that is disabled in production builds.
// BEFORE (vulnerable — sre ≤ 0.0.15):
int AgentRuntime_handleRequest(agent_runtime_t *rt, http_request_t *req) {
const char *debug_run = map_get(req->headers, "X-DEBUG-RUN");
const char *debug_inj = map_get(req->headers, "X-DEBUG-INJ");
// BUG: auth check has not run yet; debug paths are fully open
if (debug_run != NULL) {
return AgentRuntime_executeRun(rt, debug_run, req->body);
}
if (debug_inj != NULL) {
return AgentRuntime_injectPayload(rt->ctx, debug_inj, req->body);
}
auth_result_t result = AuthMiddleware_verify(rt->auth, req);
if (result != AUTH_OK) { return http_respond_401(req); }
return AgentRuntime_dispatchNormal(rt, req);
}
// AFTER (patched — sre ≥ 0.0.16, recommended):
int AgentRuntime_handleRequest(agent_runtime_t *rt, http_request_t *req) {
// FIX 1: authenticate ALL requests before any dispatch
auth_result_t result = AuthMiddleware_verify(rt->auth, req);
if (result != AUTH_OK) {
return http_respond_401(req);
}
// FIX 2: debug headers only processed in non-production environments
if (rt->flags & RUNTIME_FLAG_DEBUG_ENABLED) {
const char *debug_run = map_get(req->headers, "X-DEBUG-RUN");
const char *debug_inj = map_get(req->headers, "X-DEBUG-INJ");
// FIX 3: require elevated role even in debug mode
if (debug_run != NULL) {
if (!AuthState_hasRole(rt->auth, ROLE_DEBUG_OPERATOR)) {
return http_respond_403(req);
}
return AgentRuntime_executeRun(rt, debug_run, req->body);
}
if (debug_inj != NULL) {
if (!AuthState_hasRole(rt->auth, ROLE_DEBUG_OPERATOR)) {
return http_respond_403(req);
}
return AgentRuntime_injectPayload(rt->ctx, debug_inj, req->body);
}
}
return AgentRuntime_dispatchNormal(rt, req);
}
Three distinct mitigations are applied in the patched version: authentication runs unconditionally before dispatch; debug header handling is gated on a runtime flag absent in production builds; and the debug path additionally requires a privileged ROLE_DEBUG_OPERATOR role even when debug mode is active.
Detection and Indicators
Detection is straightforward because the attack surface is the HTTP request itself. Log any request carrying X-DEBUG-RUN or X-DEBUG-INJ headers as a high-severity event. In production, these headers should never appear.
INDICATORS OF COMPROMISE:
HTTP access logs — flag any request matching:
Header present: X-DEBUG-RUN
Header present: X-DEBUG-INJ
Example malicious log line:
POST /run HTTP/1.1 200 — X-DEBUG-RUN: {"agentId":"...","task":"..."}
(Note: 200 response with no Authorization header = confirmed exploitation)
Network detection (Suricata/Snort rule):
alert http any any -> $SMYTHOS_SERVERS any (
msg:"CVE-2026-7022 SmythOS AgentRuntime debug header bypass";
http.header; content:"X-DEBUG-RUN"; nocase;
sid:20267022; rev:1;
)
alert http any any -> $SMYTHOS_SERVERS any (
msg:"CVE-2026-7022 SmythOS AgentRuntime debug injection header";
http.header; content:"X-DEBUG-INJ"; nocase;
sid:20267023; rev:1;
)
Runtime indicators:
- Agent executing tasks not initiated by authenticated users
- Unexpected systemPrompt changes in agent telemetry
- API credential usage spikes with no corresponding user sessions
- Agent memory store containing attacker-injected content
Remediation
Immediate actions:
Upgrade SmythOS sre to version 0.0.16 or later when released by the vendor. As of disclosure, the vendor had not responded to contact attempts; monitor the official repository for patch availability.
If upgrade is not immediately possible, deploy a reverse proxy or WAF rule that strips or blocks any request containing the X-DEBUG-RUN or X-DEBUG-INJ HTTP headers before they reach the runtime.
Ensure the SmythOS runtime is not exposed directly to untrusted networks. Network-level controls are a defense-in-depth measure only — the code-level bug must be patched.
Audit logs for historical exploitation using the IOC patterns above. Any 200-series response to a request bearing these headers without a valid Authorization token indicates successful exploitation.
Rotate all credentials accessible to any agent that may have been reached via the debug injection path, including LLM API keys, tool credentials, and memory store contents.
Vendor response: The SmythOS vendor was contacted prior to this disclosure and did not respond. This disclosure follows standard 90-day responsible disclosure practice. The exploit has been publicly disclosed and should be treated as actively weaponizable.