Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function _discover_dashboard_plugins of the file hermes_cli/web_server.py of the component CLI web-dashboard Interface. Performing a manipulation of the argument HERMES_ENABLE_PROJECT_PLUGINS results in incorrect comparison. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Local privilege escalation in NousResearch hermes-agent 2026.4.23 allows authenticated local users to manipulate plugin discovery logic via HERMES_ENABLE_PROJECT_PLUGINS environment variable, resulting in unauthorized information disclosure and potential integrity compromise of the CLI web-dashboard interface. Publicly available exploit code exists (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure attempts, leaving remediation status uncertain.
Technical ContextAI
The vulnerability exists in the _discover_dashboard_plugins function within hermes_cli/web_server.py, part of the CLI web-dashboard interface of NousResearch hermes-agent. The flaw is classified as CWE-697 (Incorrect Comparison), indicating a logic error in how the code evaluates the HERMES_ENABLE_PROJECT_PLUGINS configuration parameter during plugin discovery. This incorrect comparison allows manipulation of the plugin loading mechanism, potentially enabling unauthorized plugins or bypassing security controls intended to restrict plugin execution. The CPE identifier (cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*) indicates this affects the hermes-agent product from NousResearch, specifically version 2026.4.23 as noted in the description.
RemediationAI
No vendor-released patch identified at time of analysis due to vendor non-responsiveness to responsible disclosure. Organizations using hermes-agent 2026.4.23 should implement compensating controls: (1) Restrict local system access to the hermes-agent CLI web-dashboard to only trusted administrators - remove access for standard users, noting this may limit legitimate operational workflows. (2) Monitor and log all modifications to HERMES_ENABLE_PROJECT_PLUGINS environment variable through system auditing (auditd on Linux, Sysmon on Windows), though this provides detection rather than prevention. (3) Run hermes-agent processes under least-privilege service accounts that cannot modify system-wide plugin directories, which may constrain plugin functionality but limits blast radius. (4) Consider migrating to alternative AI agent frameworks with active vendor support if hermes-agent is not mission-critical, as vendor abandonment suggests future vulnerabilities will also remain unpatched. Evaluate forking the open-source project if continued use is necessary. Exploit code is available at https://gist.github.com/YLChen-007/062b77ceac6aa9844842a616f5d2ef30 and should be tested in isolated environments to validate control effectiveness.
More in Hermes Agent
View allRemote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands
Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the
Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass
Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipula
Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _comp
Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate t
Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbi
Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers t
Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenti
Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentica
Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data vi
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality
Same weakness CWE-697 – Incorrect Comparison
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31581
GHSA-cv5c-mh6j-wvp9