Hermes Agent: Five Injection Flaws Disclosed, Two High-Severity with Public Exploits
Five injection and resource-consumption vulnerabilities were disclosed in NousResearch's Hermes Agent AI framework, two rated High severity with public exploit code available.
Key findings
- Five injection and resource-consumption CVEs disclosed together in Hermes Agent on June 1, 2026
- Two High-severity flaws (CVSS 7.3) affect core agent orchestration and plugin-skill functions
- Three CVEs have publicly available exploit code, increasing immediate risk
- All flaws affect versions up to 2026.4.30; CVE-2026-10221 affects up to v0.12.0
- No official patch released yet; vendor was contacted prior to disclosure
On June 1, 2026, five security vulnerabilities were disclosed together in NousResearch's Hermes Agent, an open-source AI agent framework. The batch spans two High-severity and three Medium-severity injection flaws, with two CVEs carrying publicly available exploit code. Users running any version up to 2026.4.30 (or 0.12.0 for one CVE) are urged to patch immediately.
Two of the five CVEs were rated High severity (CVSS 7.3). CVE-2026-10221 resides in the _compress_context function inside run_agent.py, a core orchestration file that handles agent conversation context. CVE-2026-10220 affects the _serve_plugin_skill/skill_view function in tools/skills_tool.py, which manages plugin-based skill execution. Both are injection flaws exploitable remotely, and both have public exploit code available, significantly raising the risk of in-the-wild use.
The remaining three CVEs are Medium severity. CVE-2026-10223 (CVSS 6.3) targets the _scan_memory_content function in tools/memory_tool.py, an injection bug with a public exploit. CVE-2026-10222 (CVSS 5.6) affects the _sanitize_env_lines function in hermes_cli/config.py, an injection flaw that requires high attack complexity. CVE-2026-10224 (CVSS 5.3) is a resource-consumption issue in the _handle_webhook_request function of gateway/platforms/feishu.py, which handles incoming webhooks from the Feishu/Lark platform — a denial-of-service vector that could be triggered remotely.
All five CVEs affect Hermes Agent versions up to 2026.4.30, with the exception of CVE-2026-10221, which affects versions up to 0.12.0 (an earlier versioning scheme). The vendor, NousResearch, was contacted prior to disclosure. As of publication, no official patch release has been announced, and users are advised to monitor the project's repository for a patched version.
The disclosure of multiple injection flaws — three with public exploits — in a single batch underscores the security challenges facing rapidly evolving AI-agent frameworks. Hermes Agent, which orchestrates large-language-model interactions, plugin execution, and webhook integrations, presents a broad attack surface where injection bugs can lead to unauthorized command execution or service disruption. Organizations using Hermes Agent in production should prioritize applying the forthcoming patch and review their deployment for exposed webhook endpoints and plugin configurations.