NousResearch Hermes Agent: Nine CVEs Disclosed in a Single Day Spanning Injection, Sandbox, and Auth Flaws
Nine security vulnerabilities were disclosed on May 24, 2026, across NousResearch's Hermes Agent, spanning OS command injection, sandbox escapes, path traversal, and missing authorization — with multiple exploits already public.
Key findings
- Four High-severity (CVSS 7.3) injection and sandbox-escape flaws disclosed in a single batch
- Multiple exploits are already public, increasing risk of in-the-wild attacks
- Flaws span code execution, OS command injection, path traversal, and missing authorization
- Affects Hermes Agent versions up to 2026.4.23 and specific commit 5157f542
- All nine CVEs published within a five-hour window on May 24, 2026
On May 24, 2026, nine CVEs were published against NousResearch's Hermes Agent, an open-source AI agent framework designed to execute code, interact with messaging platforms, and manage file operations. The batch — spanning a five-hour window from 04:17 UTC to 09:16 UTC — includes four High-severity flaws (CVSS 7.3), three Medium-severity issues (CVSS 5.3–6.5), and two additional Medium-rated bugs. Critically, multiple exploits have been made public, and several of the vulnerabilities can be triggered remotely, putting unpatched deployments at significant risk.
Injection and Sandbox Flaws Dominate the Batch
The most severe cluster involves injection and sandbox-escape vulnerabilities, all rated High (CVSS 7.3). CVE-2026-9368 targets the execute_code function in tools/code_execution_tool.py via the Environment Variable Handler, leading to a sandbox issue that can be exploited remotely. CVE-2026-9367 affects the detect_dangerous_command function in tools/approval.py within the terminal_tool component, enabling OS command injection — also remotely exploitable. CVE-2026-9366 hits the _scan_context_content function in agent/prompt_builder.py, resulting in a general injection vulnerability. Rounding out the injection cluster, CVE-2026-9353 targets the Skills Guard Multi-Word Prompt Handler in agent/skills_guard.py, where manipulation of the THREAT_PATTERNS argument leads to injection.
Missing Authorization and Path Traversal
CVE-2026-9350 (High, CVSS 7.3) affects the check_all_command_guards function in tools/approval.py within the Batch Runner component, resulting in missing authorization — a flaw that could allow attackers to bypass approval checks entirely. The exploit is publicly available. CVE-2026-9351 (Medium, CVSS 6.5) is a path traversal vulnerability in the read_file Tool's _is_blocked_device function in tools/file_tools.py, enabling attackers to read arbitrary files on the host system.
Information Disclosure and Output Escaping
CVE-2026-9352 (Medium, CVSS 5.3) affects the _make_run_env function in tools/environments/local.py within the Messaging Gateway Handler, leading to information disclosure. CVE-2026-9354 (Medium, CVSS 6.5) targets an unknown function in the Slack Agent and Mattermost Agent components, where manipulation of the format_message argument results in output escaping — a bug that could allow injection of malicious content into chat messages sent by the agent.
CLI Web Dashboard Flaw
CVE-2026-9369 (Medium, CVSS 5.3) is an incorrect comparison vulnerability in the _discover_dashboard_plugins function of hermes_cli/web_server.py within the CLI web-dashboard interface. Manipulation of the HERMES_ENABLE_PROJECT_PLUGINS argument triggers the flaw, which could lead to unintended plugin loading or dashboard misconfiguration.
Affected Versions and Patch Status
The vulnerabilities affect Hermes Agent versions up to 2026.4.23 (with some flaws impacting versions up to 2026.4.16 and one affecting a specific commit hash 5157f5427f19488b31c6fdebbacd15d798ce7f63). The vendor, NousResearch, was contacted regarding the disclosures. As of the publication date, users should check the Hermes Agent repository for patched releases and apply updates immediately. Given that multiple exploits have been made public, unpatched instances are at elevated risk of active targeting.
Why This Batch Matters
Hermes Agent is used in AI agent workflows that often involve code execution, file access, and messaging integration — environments where sandbox integrity and authorization controls are critical. The breadth of this batch, spanning injection, sandbox escape, path traversal, authorization bypass, and information disclosure, means that a single unpatched deployment could be compromised through multiple independent attack paths. Users should prioritize updating to the latest available version and review any custom configurations involving the affected components.