Skip to main content

Hermes Agent CVE-2026-53870

MEDIUM
Incorrect Default Permissions (CWE-276)
2026-06-17 VulnCheck
6.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Local filesystem access with low-privilege account required; high confidentiality impact from HMAC and conversation data; no integrity or availability impact from the permission flaw itself.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 18:46 vuln.today
Analysis Generated
Jun 17, 2026 - 18:46 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on hermes-agent (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.16.0.

DescriptionCVE.org

Hermes Agent before 0.16.0 creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644), exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including conversation history, tool payloads, prompts, and per-route HMAC secrets.

AnalysisAI

Insecure default file permissions (mode 0o644) in Hermes Agent before v0.16.0 expose two sensitive data files - response_store.db and webhook_subscriptions.json - to any local user on the host system, enabling direct extraction of conversation history, tool payloads, prompts, and per-route HMAC webhook secrets. Any locally authenticated user on the same host can read these files without elevated privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local OS user account on Hermes Agent host
Delivery
Locate world-readable response_store.db and webhook_subscriptions.json on filesystem
Exploit
Read files directly without elevated privileges
Execution
Extract conversation history, prompts, tool payloads from SQLite database
Persist
Extract per-route HMAC secrets from webhook_subscriptions.json
Impact
Forge signed webhook request to trigger unauthorized agent actions

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid local user account on the operating system host running Hermes Agent (CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) accurately characterizes the exploitation profile: local access, low complexity, low privilege, no user interaction, and high confidentiality impact to the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a shared Linux server running Hermes Agent executes 'sqlite3 /path/to/response_store.db .dump' to extract the full conversation database, recovering conversation history, tool payloads, and prompt content. The attacker then reads webhook_subscriptions.json to obtain per-route HMAC keys, uses them to compute a valid HMAC-SHA256 signature over a crafted payload, and delivers a forged webhook request to the Hermes Agent instance - triggering unauthorized tool executions or configuration changes as if originating from a trusted webhook source. …
Remediation Upgrade to Hermes Agent v0.16.0 (v2026.6.5), which resolves the issue via commit 3bace071bfadf2d2bec2ee048471a31ec920e3e8 incorporated through PRs #30917 and #31469; the release is available at https://github.com/NousResearch/hermes-agent/releases/tag/v2026.6.5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9367 MEDIUM POC
5.5 May 24

Remote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands

CVE-2026-14628 MEDIUM POC
5.5 Jul 04

Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the

CVE-2026-9351 MEDIUM POC
5.5 May 24

Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass

CVE-2026-9368 MEDIUM POC
5.5 May 24

Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipula

CVE-2026-10221 MEDIUM POC
5.5 Jun 01

Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _comp

CVE-2026-10220 MEDIUM POC
5.5 Jun 01

Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate t

CVE-2026-9366 MEDIUM POC
5.5 May 24

Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbi

CVE-2026-9353 MEDIUM POC
5.5 May 24

Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers t

CVE-2026-10224 MEDIUM POC
5.5 Jun 01

Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenti

CVE-2026-9350 MEDIUM POC
5.5 May 24

Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentica

CVE-2026-9352 MEDIUM POC
5.5 May 24

Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data vi

CVE-2026-7396 MEDIUM POC
5.5 Apr 29

A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality

Share

CVE-2026-53870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy