Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is an unknown function of the component Slack Agent/Mattermost Agent. The manipulation of the argument format_message results in escaping of output. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers to manipulate message formatting in Slack and Mattermost integrations, potentially leading to information disclosure and service disruption. The vulnerability is exploitable via crafted format_message arguments with low attack complexity and requires no user interaction. Public exploit code is available via GitHub Gist. The vendor did not respond to early disclosure attempts, and no patch availability is documented.
Technical ContextAI
The vulnerability affects the Hermes Agent messaging integration layer, specifically the format_message argument handling in Slack Agent and Mattermost Agent components. This is classified as CWE-116 (Improper Encoding or Escaping of Output), indicating the agent fails to properly sanitize or escape output when formatting messages for chat platforms. The affected component (cpe:2.3:a:nousresearch:hermes-agent) processes user-controlled input and renders it to messaging platforms without adequate output encoding. This class of vulnerability typically allows attackers to inject control characters, escape sequences, or formatting directives that bypass intended message boundaries, potentially enabling data exfiltration through crafted responses or disruption of message integrity. The network attack vector suggests the vulnerability can be triggered through API endpoints or webhook handlers that process external message formatting requests.
RemediationAI
No vendor-released patch is documented at time of analysis, as the vendor did not respond to early disclosure. Until an official fix becomes available, implement the following compensating controls: Restrict network access to Hermes Agent API endpoints and webhook handlers to trusted IP ranges only, blocking untrusted external access to format_message functionality. Deploy a reverse proxy or web application firewall to inspect and sanitize format_message parameter inputs, blocking payloads containing escape sequences, control characters, or formatting directives outside expected schemas - note this may break legitimate advanced formatting features if used. Disable Slack Agent and Mattermost Agent components entirely if not operationally required, eliminating the attack surface - impact includes loss of chat platform integration capabilities. Implement strict input validation on all external message sources before passing to format_message, though effectiveness depends on understanding the specific escaping flaw. Monitor VulDB (https://vuldb.com/vuln/365317) and NousResearch project channels for vendor response or community patches. Consider migrating to alternative agent frameworks with active security maintenance if vendor remains unresponsive. Review audit logs for suspicious format_message API calls showing manipulation attempts, focusing on unusual character patterns or formatting directives.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31566
GHSA-7pxq-5rjc-m2wr