Skip to content

fix(security) restrict unauthenticated webhook binds to loopback#6335

Open
WAXLYY wants to merge 3 commits into
NousResearch:mainfrom
WAXLYY:fix/webhook-insecure-noauth-bind
Open

fix(security) restrict unauthenticated webhook binds to loopback#6335
WAXLYY wants to merge 3 commits into
NousResearch:mainfrom
WAXLYY:fix/webhook-insecure-noauth-bind

Conversation

@WAXLYY

@WAXLYY WAXLYY commented Apr 8, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR addresses a significant security oversight where the Webhook adapter allowed unauthenticated remote execution when bound to non-loopback interfaces (e.g., 0.0.0.0).

Vulnerability Details

  • Risk: Remote Command Execution (RCE) surface via unauthenticated webhook triggers.
  • Root Cause: The INSECURE_NO_AUTH bypass did not enforce network interface isolation, allowing remote attackers to trigger agent actions if the gateway was exposed.
  • Impact: Critical. Any actor with network access to the webhook port could bypass intent-security and execute toolchains.

Changes

  • Binding Enforcement: The INSECURE_NO_AUTH flag now triggers a hard failure during startup if the bind address is not a loopback IP (127.0.0.1 or ::1).
  • Validation Logic: Added strict interface-to-auth-mode mapping in gateway/platforms/webhook.py.
  • Documentation: Updated website/docs/user-guide/messaging/webhooks.md to clearly define safe testing practices and security requirements.

Testing ✅

  • Comprehensive Coverage: Added 48 regression tests in tests/gateway/test_webhook_adapter.py.
  • Scenarios:
    • Verified 0.0.0.0 with INSECURE_NO_AUTH (Fails as expected).
    • Verified 127.0.0.1 with INSECURE_NO_AUTH (Passes).
    • Verified remote binds with proper WEBHOOK_SECRET (Passes).

dpskate pushed a commit to dpskate/hermes-agent that referenced this pull request Apr 10, 2026
@claude
fix(security): patch 5 open vulnerabilities — PYTHONPATH injection, p…
0f966d8 
…attern bypass, redaction bypass, network exposure

- Remove hermes-agent root from sandbox PYTHONPATH to prevent internal module
  import and API key exfiltration (mitigates NousResearch#7071)
- Add 8 missing DANGEROUS_PATTERNS: heredoc injection, git destructive ops
  (reset --hard, push --force, clean -f, branch -D, checkout -- .), and
  chmod +x social engineering (mitigates NousResearch#6961)
- Add base64/hex encoded secret detection to redact_sensitive_text() to
  prevent redaction bypass via encoding
- Change default bind address from 0.0.0.0 to 127.0.0.1 for webhook,
  SMS/Twilio, and Telegram adapters (mitigates NousResearch#4260, NousResearch#6335)
- Fix .env and config.yaml file permissions from 644 to 600

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dpskate dpskate mentioned this pull request Apr 10, 2026
Open
8 tasks
@alt-glitch alt-glitch added type/security Security vulnerability or hardening P1 High — major feature broken, no workaround comp/gateway Gateway runner, session dispatch, delivery platform/webhook Webhook / API server labels Apr 30, 2026
@alt-glitch

alt-glitch commented Apr 30, 2026

Copy link
Copy Markdown
Collaborator

Related to #6223 — same pattern (enforce auth for non-loopback binds) applied to webhook adapter specifically.

@alt-glitch

alt-glitch commented Apr 30, 2026

Copy link
Copy Markdown
Collaborator

Related to #6223.

@alt-glitch alt-glitch mentioned this pull request May 3, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/gateway Gateway runner, session dispatch, delivery P1 High — major feature broken, no workaround platform/webhook Webhook / API server type/security Security vulnerability or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WAXLYY @alt-glitch