NousResearch hermes-agent Batch Runner approval.py check_all_command_guards authorization

Vulnerability

The vulnerability resides in the check_all_command_guards() function in tools/approval.py (lines 736–759) of NousResearch hermes-agent up to version 2026.4.16. The function checks three environment variables (HERMES_INTERACTIVE, HERMES_GATEWAY_SESSION, HERMES_EXEC_ASK) to decide whether to enforce approval prompts for dangerous commands. If none of these variables are set, the function defaults to returning {"approved": True} (line 759), auto-approving all commands. The batch runner (batch_runner.py) creates AIAgent instances without setting any of these environment variables, causing every dangerous command to be automatically approved [1].

Exploitation

An attacker can craft a JSONL dataset containing prompt injection payloads that trigger dangerous commands. When the batch runner processes this dataset, the check_all_command_guards() function sees no interactive environment variables and returns approval for every command. No authentication or user interaction is required; the attack is launched remotely by supplying the malicious dataset to the batch runner [1].

Impact

Successful exploitation allows arbitrary command execution on the host machine with the privileges of the hermes-agent process. This leads to full compromise of confidentiality, integrity, and availability, as the attacker can execute any system command [1].

Mitigation

The vendor was contacted but did not respond, and no official fix has been released as of the publication date. Users should avoid using the batch runner with untrusted datasets. A workaround is to set one of the environment variables (e.g., HERMES_INTERACTIVE=1) to force approval prompts. The exploit is publicly available and may be added to CISA's Known Exploited Vulnerabilities catalog [1].