NousResearch hermes-agent prompt_builder.py _scan_context_content injection
Description
A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the function _scan_context_content of the file agent/prompt_builder.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A regex bypass in NousResearch hermes-agent 2026.4.23 allows zero-click prompt injection via auto-loaded context files, leading to full LLM system prompt override.
Vulnerability
A vulnerability exists in agent/prompt_builder.py of NousResearch hermes-agent version 2026.4.23. The function _scan_context_content uses a regex pattern list _CONTEXT_THREAT_PATTERNS that is a duplicate of an earlier, unimproved version. The first pattern ignore\s+(previous|all|above|prior)\s+instructions only matches when a single keyword immediately precedes \s+instructions. Any multi-word filler (e.g., "ignore all prior instructions", "ignore my previous instructions") bypasses the filter and is concatenated verbatim into the outbound LLM system prompt built by build_context_files_prompt() / AIAgent._build_system_prompt(). The agent auto-loads files such as AGENTS.md, agents.md, CLAUDE.md, claude.md, .cursorrules, .cursor/rules/*.mdc, .hermes.md, HERMES.md, and SOUL.md from the current working directory on every session start [1].
Exploitation
An attacker only needs to ship a repository containing a poisoned context file (e.g., AGENTS.md or .cursorrules) with malicious instructions. As soon as a victim runs hermes or hermes-agent inside that directory, the attacker's injected text becomes the first content the LLM reads — a zero-click, no-interaction exploit. No authentication, network access, or user interaction beyond opening the repository is required. The exploit has been made public [1].
Impact
Successful exploitation achieves a full prompt-override primitive. The attacker can chain this into arbitrary tool use by the LLM, including commands for terminal execution, file writing, patching, memory access, and delegated tasks. This leads to complete compromise of the AI agent's behavior and potential control over the host system, depending on the granted tool capabilities [1].
Mitigation
The same class of bypass was fixed in tools/skills_guard.py by PR #192 using a tightened regex ignore\s+(?:\w+\s+)*(previous|all|above|prior)\s+instructions, but the duplicated pattern set in agent/prompt_builder.py was missed. As of the disclosure date, the vendor (NousResearch) has not responded, and no official patch for version 2026.4.23 is available. Users should avoid running the agent in untrusted directories or manually inspect and sanitize any auto-loaded context files until a fix is released [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 2026.4.23
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- gist.github.com/YLChen-007/581fd92de5548fbaacb2092e848a75ccmitreexploit
- vuldb.com/submit/812227mitrethird-party-advisory
- vuldb.com/vuln/365329mitrevdb-entrytechnical-description
- vuldb.com/vuln/365329/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.