CVE-2026-10221
Description
Prompt injection in hermes-agent <=0.12.0 via _compress_context allows arbitrary instruction override.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prompt injection in hermes-agent <=0.12.0 via _compress_context allows arbitrary instruction override.
Vulnerability
The vulnerability exists in NousResearch hermes-agent up to version 0.12.0. The function _compress_context in run_agent.py appends a snapshot of active todo items as a {"role": "user"} message without sanitization. This allows any content stored in a todo item to be injected as a user message, overriding system instructions due to LLM's recency bias. [1]
Exploitation
An attacker can remotely initiate the attack by causing the agent to create a todo item with malicious content, via the built-in todo tool. This can be triggered by instructing the agent to read a document or visit a webpage containing the payload. When the agent's context window overflows and triggers compression, the malicious todo content is placed at the end of the compressed conversation as a user message. [1]
Impact
Successful exploitation allows the attacker to hijack the agent's behavior, override system instructions, exfiltrate data, or abuse tools arbitrarily. The attacker gains the ability to execute arbitrary instructions within the agent's operational context. [1]
Mitigation
The vendor was contacted but did not respond. As of the publication date, no official fix or patch is available. Users should avoid using the agent with untrusted todo content or disable the todo snapshot feature if possible. [1]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.12.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of todo item content allows raw attacker-controlled text to be injected as a trusted user-role message during context compression."
Attack vector
An attacker — either through direct chat interaction or indirectly via a malicious document, GitHub issue, or web page the agent processes — instructs the agent to create a todo item whose `content` field contains a prompt injection payload [ref_id=1]. The `content` field is never sanitized, so the payload passes through verbatim [ref_id=1]. When the agent's context window overflows and triggers `_compress_context()`, the raw todo snapshot is injected as a `{"role": "user"}` message at the tail of the compressed conversation array [ref_id=1]. Because instruction-tuned LLMs prioritize the final user turn, the attacker's payload overrides prior system instructions, enabling arbitrary instruction hijacking, data exfiltration, or tool abuse [ref_id=1].
Affected code
The vulnerability resides in `_compress_context()` in `run_agent.py` and `TodoStore.format_for_injection()` in `tools/todo_tool.py`. The `_compress_context()` method preserves the active task list across compression by calling `format_for_injection()` and appending the result as a `{"role": "user"}` message [ref_id=1]. The `format_for_injection()` method concatenates raw, unsanitized `item["content"]` fields from all active todo items into a single string [ref_id=1].
What the fix does
No official patch has been released by the vendor, who did not respond to the disclosure [ref_id=1]. The advisory notes this is structurally identical to a file-read history injection that was patched in a prior commit (4263350c), but the todo snapshot injection path was left behind [ref_id=1]. The control experiment in the advisory demonstrates that a fix — preventing the raw todo snapshot from being appended as a user-role message — blocks the injection entirely [ref_id=1]. Until an official patch is published, users should sanitize or remove the `{"role": "user"}` wrapping of todo snapshot content in `_compress_context()`.
Preconditions
- configThe agent must have the todo tool and context compression enabled (both are enabled by default)
- inputAttacker must be able to influence the agent's todo list — either directly via chat or indirectly via content the agent processes (documents, web pages, etc.)
- inputThe agent's context window must overflow to trigger _compress_context()
Reproduction
1. Clone hermes-agent and install dependencies. 2. Update the `HERMES_ROOT` variable in the PoC script (`poc_todo_injection.py`) to point to the local checkout. 3. Run `python3 poc_todo_injection.py` [ref_id=1]. 4. Alternatively, against a running API server at `http://localhost:8642`, plant a malicious todo item via curl (e.g., instructing the agent to add a task containing an injection payload), then continue the conversation until context compression fires [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
1- Hermes Agent: Five Injection Flaws Disclosed, Two High-Severity with Public ExploitsVypr Intelligence · Jun 1, 2026