Hermes Agent < 0.16.0 - Sensitive File Permission Vulnerability in Store Files
Description
Hermes Agent before 0.16.0 creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644), exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including conversation history, tool payloads, prompts, and per-route HMAC secrets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.16.0
Patches
Vulnerability mechanics
Root cause
"Incorrect default file permissions (mode 0o644) on response_store.db and webhook_subscriptions.json allow any local user to read sensitive data."
Attack vector
A local attacker with filesystem access to the machine running Hermes Agent can read `response_store.db` and `webhook_subscriptions.json` directly because both files are created with mode `0o644` (world-readable). No authentication or special privileges are required beyond local user access to the filesystem. The attacker can extract conversation history, tool payloads, prompts, and per-route HMAC secrets from these files. [CWE-276]
Affected code
The vulnerability is in the Hermes Agent state management layer, which creates `response_store.db` and `webhook_subscriptions.json` with world-readable permissions (mode `0o644`). These files are written by the core state persistence code that the patches target.
What the fix does
The patches [patch_id=6466850] [patch_id=6466849] restrict the file permissions on `response_store.db` and `webhook_subscriptions.json` so they are no longer world-readable. The exact mode applied is not shown in the truncated diff, but the fix ensures that only the owning user (and potentially the owning group) can read these sensitive files, preventing local unprivileged users from accessing conversation history, tool payloads, prompts, and HMAC secrets.
Preconditions
- authThe attacker must have local filesystem access to the machine running Hermes Agent (e.g., a shell account or ability to read files on a shared host).
- inputThe files response_store.db and webhook_subscriptions.json must exist (i.e., the agent must have been used and created these files).
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/NousResearch/hermes-agent/commit/3bace071bfadf2d2bec2ee048471a31ec920e3e8mitrepatch
- www.vulncheck.com/advisories/hermes-agent-sensitive-file-permission-vulnerability-in-store-filesmitrethird-party-advisory
- github.com/NousResearch/hermes-agent/pull/30917mitreissue-tracking
- github.com/NousResearch/hermes-agent/pull/31469mitreissue-tracking
- github.com/NousResearch/hermes-agent/releases/tag/v2026.6.5mitrerelease-notes
News mentions
0No linked articles in our index yet.