CVE-2026-10548
Description
NousResearch hermes-agent up to 2026.4.23 has an authentication bypass flaw in credential pool synchronization, allowing local attackers to merge accounts and cause rate limit cascading.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NousResearch hermes-agent up to 2026.4.23 has an authentication bypass flaw in credential pool synchronization, allowing local attackers to merge accounts and cause rate limit cascading.
Vulnerability
A security flaw exists in NousResearch hermes-agent up to version 2026.4.23, specifically within the _sync_anthropic_entry_from_credentials_file function in agent/credential_pool.py. This vulnerability affects the Credential Pool Synchronization component and arises from an insecure synchronization mechanism with the global credentials file ~/.claude/.credentials.json when Anthropic claude_code credentials encounter rate limits (HTTP 429) [1].
Exploitation
An attacker with local access can exploit this vulnerability. When the agent encounters a rate limit for an Anthropic claude_code credential, it marks the token as exhausted. During the subsequent rotation process, the _sync_anthropic_entry_from_credentials_file function blindly reads the ~/.claude/.credentials.json file and overwrites the pool entry. This process, when applied to multiple exhausted tokens, causes all isolated accounts to merge into a single identity, breaking multi-account pooling and leading to rate limit cascading across all pool credentials [1].
Impact
Successful exploitation allows a local attacker to bypass authentication mechanisms related to credential pooling. The primary impact is the merging of multiple distinct Anthropic accounts into a single identity due to the insecure synchronization. This leads to rate limit cascading across all credentials within the pool, effectively disrupting the intended load distribution and rate limit circumvention strategies [1].
Mitigation
This vulnerability affects NousResearch hermes-agent up to version 2026.4.23. The vendor was contacted early regarding this disclosure but has not provided a response or released a patch. Therefore, no fixed version or workaround is currently available in the provided references. The exploit has been publicly released [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2026.4.23
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The agent improperly synchronizes credentials from a global file when individual tokens are marked as exhausted."
Attack vector
An attacker must have local access to the system running the hermes-agent. The vulnerability is triggered when the agent encounters a rate limit (HTTP 429) while using Anthropic claude_code credentials. This causes the agent to mark the current token as exhausted and subsequently attempt to rotate to a new token. During this rotation, the agent checks for updated credentials in the global `~/.claude/.credentials.json` file, leading to the overwrite of distinct pool entries with the content of this singleton file [ref_id=1].
Affected code
The vulnerability resides in the `agent/credential_pool.py` file. Specifically, the `_sync_anthropic_entry_from_credentials_file` method is responsible for reading from the global `~/.claude/.credentials.json` file [ref_id=1]. The method evaluation point within `_available_entries` dynamically overwrites internal records during status checks, leading to the improper authentication [ref_id=1].
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is caused by the `_sync_anthropic_entry_from_credentials_file` method blindly reading from the global `~/.claude/.credentials.json` and overriding pool entries if the `refreshToken` differs [ref_id=1]. Remediation guidance would involve ensuring that credential synchronization is properly scoped and does not overwrite distinct pool entries with global configuration.
Preconditions
- inputThe agent must be configured with multiple Anthropic accounts using `source: claude_code` in `auth.json`.
- inputA global `~/.claude/.credentials.json` file must exist and contain a `refreshToken`.
- authThe attacker must have local access to the system.
Reproduction
1. Download the PoC script from: https://gist.github.com/YLChen-007/5fcaf1ee5120a6f04c11addb1e3ff4c5 2. Set the script to target a local installation of the hermes-agent framework by ensuring `sys.path.insert(0, "/root/llm-agent-project/hermes-agent")` references paths correctly. 3. Run the PoC: `python poc_anthropic_sync.py` 4. The PoC spins up a fake multi-credential `auth.json` containing token-acc-1, token-acc-2, and token-acc-3, and injects a single `HACKED_SINGLE_ACCESS_TOKEN` into the mocked `.claude/.credentials.json`. 5. The PoC runs 10 cycles of `pool.select()` followed by an exhaustion event `pool.mark_exhausted_and_rotate(status_code=429)` to mimic the rate-limit failure of each token. 6. The exploit verifies the resulting tokens in the `auth.json`, which should all be overwritten with the singleton token [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.