CVE-2026-10223
Description
A regex bypass in NousResearch hermes-agent's memory tool allows remote prompt injection, enabling persistent manipulation of agent behavior across sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A regex bypass in NousResearch hermes-agent's memory tool allows remote prompt injection, enabling persistent manipulation of agent behavior across sessions.
Vulnerability
The _scan_memory_content function in tools/memory_tool.py of NousResearch hermes-agent up to version 2026.4.30 uses a flawed regex pattern (ignore\s+(previous|all|above|prior)\s+instructions) that fails to detect prompt injection payloads containing intervening words between 'ignore' and the keyword. For example, "ignore my previous instructions" bypasses the scanner and is written to MEMORY.md. The same vulnerable pattern exists in tools/mcp_tool.py at line 312 [1]. A similar bug was previously patched in cronjob_tools.py but not propagated to these files [1].
Exploitation
An attacker with remote access to any external chat interface (such as API server, Discord, or Slack) that integrates with hermes-agent can send a crafted message containing an injection payload like "ignore ALL prior instructions" or "ignore the above instructions". The payload evades the regex scanner because the pattern requires the keyword to appear immediately after 'ignore'. Once written to MEMORY.md, the injected content is loaded into the agent's system prompt on every session start via load_from_disk(), permanently altering agent behavior across all future sessions [1].
Impact
Successful exploitation allows an attacker to inject arbitrary instructions into the agent's system prompt, effectively hijacking the agent's behavior. This can lead to unauthorized actions, data disclosure, or other malicious operations depending on the injected instructions. The compromise is persistent as the malicious memory entry resides on disk and is reloaded indefinitely [1].
Mitigation
As of the publication date, no patch has been released by the vendor, who did not respond to the initial disclosure [1]. Users should consider disabling the memory tool (if possible) or manually applying a fix similar to the one used in cronjob_tools.py (which uses (?:\w+\s+)* to match zero or more intervening words). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at this time.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2026.4.30
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The regex in `_scan_memory_content()` only matches single-word alternatives between `ignore` and `instructions`, failing to detect injection payloads with intervening words."
Attack vector
An attacker sends a crafted message via any external interface (API server, Discord, Slack) that inserts extra words between `ignore` and the target keyword (e.g., "ignore ALL prior instructions") [ref_id=1]. The `_scan_memory_content()` function returns `None` (allowed) because the rigid regex does not account for intervening words [ref_id=1]. The payload is written to `MEMORY.md` on disk, and on the next session start `load_from_disk()` injects it into the agent's system prompt, permanently altering agent behavior across all future sessions [ref_id=1].
Affected code
The vulnerable function is `_scan_memory_content()` in `tools/memory_tool.py` [ref_id=1]. The regex at line 67 (`r'ignore\s+(previous|all|above|prior)\s+instructions'`) only matches a single keyword immediately after `ignore`, allowing multi-word bypass payloads to pass undetected [ref_id=1]. A similar vulnerable pattern exists in `tools/mcp_tool.py` at line 312, which only optionally matches `all` before `previous` [ref_id=1].
What the fix does
No patch has been released by the vendor [ref_id=1]. The advisory notes that the same root cause was previously patched in `cronjob_tools.py` (commit feea8332) using `(?:\w+\s+)*` to match zero or more intervening words, but `memory_tool.py` and `mcp_tool.py` were not updated with the same fix [ref_id=1]. The recommended remediation is to apply a similar regex pattern that accounts for arbitrary intervening words between `ignore` and the target keyword.
Preconditions
- configMemory tool must be enabled in the agent's toolset (enabled by default)
- networkAttacker must be able to send messages to the agent through any supported interface (API, Discord, Slack)
- authNo authentication required beyond normal chat access
- inputAttacker crafts a payload with extra words between 'ignore' and the keyword
Reproduction
Method 1 (direct scanner bypass): Download `poc_exploit.py` and `control-prompt_injection.py` from the gist, then run `python3 poc_exploit.py` followed by `python3 control-prompt_injection.py` in the hermes-agent directory [ref_id=1]. Method 2 (external API exploit): Start the Hermes gateway with `hermes gateway --config gateway_config.yaml`, download `poc_api_exploit.py`, and run `python3 poc_api_exploit.py` [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
1- Hermes Agent: Five Injection Flaws Disclosed, Two High-Severity with Public ExploitsVypr Intelligence · Jun 1, 2026