Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skills_guard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREAT_PATTERNS leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers to inject malicious payloads through the Skills Guard component's multi-word prompt handling mechanism. The vulnerability has publicly available exploit code and allows attackers to achieve limited confidentiality, integrity, and availability impacts without user interaction. Despite early vendor notification, no response or patch has been provided.
Technical ContextAI
The vulnerability affects the NousResearch hermes-agent, specifically in the Skills Guard component's multi-word prompt handler located in agent/skills_guard.py. The root cause is improper neutralization of special elements in user input (CWE-74), where the THREAT_PATTERNS argument can be manipulated to inject malicious content. Based on the CPE string, all versions of hermes-agent are potentially affected, though the description specifically mentions versions up to 2026.4.23.
RemediationAI
No vendor-released patch identified at time of analysis due to vendor non-responsiveness. As primary mitigation, organizations should consider disabling or restricting access to the Skills Guard functionality if business operations permit. Implement input validation and sanitization for any data passed to the THREAT_PATTERNS parameter in skills_guard.py. Monitor for exploitation attempts by logging and alerting on unusual patterns in Skills Guard prompt processing. Consider deploying web application firewall rules to filter potentially malicious multi-word prompts. Organizations heavily dependent on this functionality should evaluate alternative solutions or engage directly with NousResearch for private patch availability.
More in Hermes Agent
View allRemote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands
Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the
Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass
Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipula
Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _comp
Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate t
Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbi
Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenti
Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentica
Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data vi
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality
DNS rebinding in NousResearch Hermes Agent prior to 0.16.0 allows remote attackers to reach privileged local WebSocket e
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31567
GHSA-238w-f66p-w349