Hermes Agent
Monthly
Authorization bypass in NousResearch hermes-agent up to 0.12.0 allows remote low-privileged authenticated attackers to access or manipulate sessions belonging to other users by supplying an arbitrary session title to the resume endpoint's `resolve_session_by_title` function without ownership verification. A public proof-of-concept exploit has been disclosed via GitHub Gist, and the vendor did not respond to pre-disclosure contact, meaning no patch is currently available. With CVSS 6.3 and a temporal exploit-partial modifier, this presents elevated practical risk in multi-tenant or shared-instance deployments where session isolation is a security boundary.
Improper authentication in NousResearch hermes-agent through version 2026.4.23 allows a local low-privileged attacker to manipulate the Credential Pool Synchronization component, specifically the `_sync_anthropic_entry_from_credentials_file` function in `agent/credential_pool.py`, bypassing authentication controls over Anthropic API credentials. A proof-of-concept exploit is publicly available on GitHub and the vendor did not respond to coordinated disclosure, leaving no patch available at time of analysis. No public exploit identified at time of analysis for active KEV-confirmed campaigns, but publicly available exploit code exists and lowers the bar for any attacker already holding local system access.
Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenticated attackers to degrade service availability by sending crafted requests to the Feishu webhook endpoint. The vulnerable function `_handle_webhook_request` in `gateway/platforms/feishu.py` fails to bound resource usage during webhook processing, enabling denial-of-service conditions. A publicly available proof-of-concept exploit exists (hosted on GitHub), the vendor did not respond to responsible disclosure, and no patch has been released - leaving all deployments with active Feishu integration exposed with no official remediation path.
Injection vulnerability in NousResearch hermes-agent's `_scan_memory_content` function exposes authenticated low-privileged remote users to partial confidentiality, integrity, and availability compromise across all versions through 2026.4.30. The flaw originates in `tools/memory_tool.py`, where user-controlled input is insufficiently neutralized before being passed to downstream components. No public exploit identified at time of analysis is incorrect - a public proof-of-concept exploit exists (GitHub gist), and the vendor has not responded to responsible disclosure, meaning no patch has been released.
Injection vulnerability in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenticated attackers to exploit improper neutralization in the _sanitize_env_lines function of hermes_cli/config.py, achieving partial confidentiality, integrity, and availability impact. The flaw is tagged as code injection (CWE-74), meaning attacker-controlled input passed through this sanitization routine may reach a downstream component in an executable or interpreted context. A public proof-of-concept exploit exists (GitHub gist), though the CVSS vector assigns high attack complexity, indicating exploitation is not trivial. No vendor patch exists; the vendor was unresponsive to coordinated disclosure.
Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _compress_context function within run_agent.py (CWE-74). Publicly available exploit code exists and the issue is remotely triggerable without authentication per the CVSS vector, though impact is bounded to Low across confidentiality, integrity, and availability. The vendor was contacted but did not respond, leaving downstream users without an official fix at time of analysis.
Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate the _serve_plugin_skill/skill_view function in tools/skills_tool.py. Publicly available exploit code exists via a GitHub gist, and the vendor has not responded to disclosure attempts, leaving deployments without an official fix. CVSS 7.3 reflects network-reachable, low-complexity exploitation with partial impact across confidentiality, integrity, and availability.
Local privilege escalation in NousResearch hermes-agent 2026.4.23 allows authenticated local users to manipulate plugin discovery logic via HERMES_ENABLE_PROJECT_PLUGINS environment variable, resulting in unauthorized information disclosure and potential integrity compromise of the CLI web-dashboard interface. Publicly available exploit code exists (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure attempts, leaving remediation status uncertain.
Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipulate environment variables through the code execution tool, potentially breaking out of the intended security sandbox. The vulnerability has publicly available exploit code and the vendor has not responded to disclosure attempts, leaving systems unpatched.
Remote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands through the terminal_tool component's approval mechanism. The vulnerability affects all versions up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63 and has publicly available exploit code demonstrating the attack. The vendor has not responded to disclosure attempts, leaving users without an official patch.
Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbitrary code through the _scan_context_content function in agent/prompt_builder.py. The vulnerability has publicly available exploit code and affects all versions up to 2026.4.23, with the vendor failing to respond to disclosure attempts.
Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers to inject malicious payloads through the Skills Guard component's multi-word prompt handling mechanism. The vulnerability has publicly available exploit code and allows attackers to achieve limited confidentiality, integrity, and availability impacts without user interaction. Despite early vendor notification, no response or patch has been provided.
Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data via crafted requests to the Messaging Gateway Handler's environment configuration function. The vulnerability affects versions up to 2026.4.23 with publicly available exploit code demonstrating the attack. EPSS data not provided, but public POC availability increases immediate risk. Vendor has not responded to disclosure, suggesting no official patch timeline.
Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass path restrictions and modify or disrupt file operations via the read_file tool. The flaw exists in the _is_blocked_device function within tools/file_tools.py. Public exploit code is available (EPSS data not provided, but exploit confirmed). Vendor was notified but did not respond, suggesting no official patch exists at time of analysis.
Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentication checks in the Batch Runner component, potentially executing unauthorized commands. The vulnerability affects the check_all_command_guards function in tools/approval.py and can be exploited without authentication. Publicly available exploit code exists, though the vulnerability is not yet confirmed in CISA KEV.
A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.9.0 is able to mitigate this issue. The patch is identified as 311dac197145e19e07df68feba2cd55d896a3cd1. Upgrading the affected component is recommended.
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Authentication bypass in hermes-agent 0.8.0 webhook endpoint allows remote attackers to bypass authentication controls via manipulation of the _INSECURE_NO_AUTH parameter, resulting in limited confidentiality and integrity impact. The vulnerability requires high attack complexity and has publicly available exploit code; vendor patch is available but the project has not yet merged the fix despite early notification.
Improper authentication in the API_SERVER_KEY handler of NousResearch hermes-agent 0.8.0 allows remote attackers to bypass authentication checks in the _check_auth function via the API server component. The vulnerability has a CVSS score of 6.3 with high attack complexity, and publicly available exploit code exists. The project has not yet responded to early notification via pull request.
Authorization bypass in NousResearch hermes-agent up to 0.12.0 allows remote low-privileged authenticated attackers to access or manipulate sessions belonging to other users by supplying an arbitrary session title to the resume endpoint's `resolve_session_by_title` function without ownership verification. A public proof-of-concept exploit has been disclosed via GitHub Gist, and the vendor did not respond to pre-disclosure contact, meaning no patch is currently available. With CVSS 6.3 and a temporal exploit-partial modifier, this presents elevated practical risk in multi-tenant or shared-instance deployments where session isolation is a security boundary.
Improper authentication in NousResearch hermes-agent through version 2026.4.23 allows a local low-privileged attacker to manipulate the Credential Pool Synchronization component, specifically the `_sync_anthropic_entry_from_credentials_file` function in `agent/credential_pool.py`, bypassing authentication controls over Anthropic API credentials. A proof-of-concept exploit is publicly available on GitHub and the vendor did not respond to coordinated disclosure, leaving no patch available at time of analysis. No public exploit identified at time of analysis for active KEV-confirmed campaigns, but publicly available exploit code exists and lowers the bar for any attacker already holding local system access.
Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenticated attackers to degrade service availability by sending crafted requests to the Feishu webhook endpoint. The vulnerable function `_handle_webhook_request` in `gateway/platforms/feishu.py` fails to bound resource usage during webhook processing, enabling denial-of-service conditions. A publicly available proof-of-concept exploit exists (hosted on GitHub), the vendor did not respond to responsible disclosure, and no patch has been released - leaving all deployments with active Feishu integration exposed with no official remediation path.
Injection vulnerability in NousResearch hermes-agent's `_scan_memory_content` function exposes authenticated low-privileged remote users to partial confidentiality, integrity, and availability compromise across all versions through 2026.4.30. The flaw originates in `tools/memory_tool.py`, where user-controlled input is insufficiently neutralized before being passed to downstream components. No public exploit identified at time of analysis is incorrect - a public proof-of-concept exploit exists (GitHub gist), and the vendor has not responded to responsible disclosure, meaning no patch has been released.
Injection vulnerability in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenticated attackers to exploit improper neutralization in the _sanitize_env_lines function of hermes_cli/config.py, achieving partial confidentiality, integrity, and availability impact. The flaw is tagged as code injection (CWE-74), meaning attacker-controlled input passed through this sanitization routine may reach a downstream component in an executable or interpreted context. A public proof-of-concept exploit exists (GitHub gist), though the CVSS vector assigns high attack complexity, indicating exploitation is not trivial. No vendor patch exists; the vendor was unresponsive to coordinated disclosure.
Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _compress_context function within run_agent.py (CWE-74). Publicly available exploit code exists and the issue is remotely triggerable without authentication per the CVSS vector, though impact is bounded to Low across confidentiality, integrity, and availability. The vendor was contacted but did not respond, leaving downstream users without an official fix at time of analysis.
Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate the _serve_plugin_skill/skill_view function in tools/skills_tool.py. Publicly available exploit code exists via a GitHub gist, and the vendor has not responded to disclosure attempts, leaving deployments without an official fix. CVSS 7.3 reflects network-reachable, low-complexity exploitation with partial impact across confidentiality, integrity, and availability.
Local privilege escalation in NousResearch hermes-agent 2026.4.23 allows authenticated local users to manipulate plugin discovery logic via HERMES_ENABLE_PROJECT_PLUGINS environment variable, resulting in unauthorized information disclosure and potential integrity compromise of the CLI web-dashboard interface. Publicly available exploit code exists (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure attempts, leaving remediation status uncertain.
Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipulate environment variables through the code execution tool, potentially breaking out of the intended security sandbox. The vulnerability has publicly available exploit code and the vendor has not responded to disclosure attempts, leaving systems unpatched.
Remote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands through the terminal_tool component's approval mechanism. The vulnerability affects all versions up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63 and has publicly available exploit code demonstrating the attack. The vendor has not responded to disclosure attempts, leaving users without an official patch.
Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbitrary code through the _scan_context_content function in agent/prompt_builder.py. The vulnerability has publicly available exploit code and affects all versions up to 2026.4.23, with the vendor failing to respond to disclosure attempts.
Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers to inject malicious payloads through the Skills Guard component's multi-word prompt handling mechanism. The vulnerability has publicly available exploit code and allows attackers to achieve limited confidentiality, integrity, and availability impacts without user interaction. Despite early vendor notification, no response or patch has been provided.
Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data via crafted requests to the Messaging Gateway Handler's environment configuration function. The vulnerability affects versions up to 2026.4.23 with publicly available exploit code demonstrating the attack. EPSS data not provided, but public POC availability increases immediate risk. Vendor has not responded to disclosure, suggesting no official patch timeline.
Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass path restrictions and modify or disrupt file operations via the read_file tool. The flaw exists in the _is_blocked_device function within tools/file_tools.py. Public exploit code is available (EPSS data not provided, but exploit confirmed). Vendor was notified but did not respond, suggesting no official patch exists at time of analysis.
Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentication checks in the Batch Runner component, potentially executing unauthorized commands. The vulnerability affects the check_all_command_guards function in tools/approval.py and can be exploited without authentication. Publicly available exploit code exists, though the vulnerability is not yet confirmed in CISA KEV.
A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.9.0 is able to mitigate this issue. The patch is identified as 311dac197145e19e07df68feba2cd55d896a3cd1. Upgrading the affected component is recommended.
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Authentication bypass in hermes-agent 0.8.0 webhook endpoint allows remote attackers to bypass authentication controls via manipulation of the _INSECURE_NO_AUTH parameter, resulting in limited confidentiality and integrity impact. The vulnerability requires high attack complexity and has publicly available exploit code; vendor patch is available but the project has not yet merged the fix despite early notification.
Improper authentication in the API_SERVER_KEY handler of NousResearch hermes-agent 0.8.0 allows remote attackers to bypass authentication checks in the _check_auth function via the API server component. The vulnerability has a CVSS score of 6.3 with high attack complexity, and publicly available exploit code exists. The project has not yet responded to early notification via pull request.