Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the function execute_code of the file tools/code_execution_tool.py of the component Environment Variable Handler. Such manipulation leads to sandbox issue. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipulate environment variables through the code execution tool, potentially breaking out of the intended security sandbox. The vulnerability has publicly available exploit code and the vendor has not responded to disclosure attempts, leaving systems unpatched.
Technical ContextAI
The vulnerability affects the execute_code function in tools/code_execution_tool.py, specifically in the Environment Variable Handler component. Based on CWE-265 (Privilege/Sandbox Issues), the root cause appears to be improper isolation or validation when handling environment variables during code execution. The hermes-agent appears to be a code execution or automation tool that implements sandboxing, but the sandbox can be bypassed through environment variable manipulation.
RemediationAI
No vendor-released patch identified at time of analysis. The vendor was contacted but did not respond to the disclosure. Organizations should consider disabling or removing hermes-agent until a patch becomes available. If the tool must remain operational, implement network-level access controls to restrict who can reach the service, monitor for exploitation attempts targeting the code execution functionality, and consider running the service in an additional isolation layer such as a container or VM with restricted permissions. Review and restrict environment variable access within the deployment environment.
More in Hermes Agent
View allRemote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands
Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the
Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass
Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _comp
Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate t
Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbi
Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers t
Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenti
Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentica
Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data vi
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality
DNS rebinding in NousResearch Hermes Agent prior to 0.16.0 allows remote attackers to reach privileged local WebSocket e
Same weakness CWE-265 – Privilege Issues
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31582
GHSA-wm96-9gfh-vvgq