CVE-2026-10220: NousResearch hermes-agent Injection Vulnerability – Patch Guidance
NousResearch's hermes-agent application contains a vulnerability in how it handles plugin skill requests. An attacker can send specially crafted input to the skill_view function that gets injected into backend operations, potentially compromising the confidentiality, integrity, and availability of the affected system. The vulnerability is network-accessible, requires no authentication, and can be triggered without user interaction. Because exploit details have been publicly disclosed, the attack surface is visible to potential adversaries.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-707, CWE-74
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in NousResearch hermes-agent up to 2026.4.30. Affected is the function _serve_plugin_skill/skill_view of the file tools/skills_tool.py. Executing a manipulation can lead to injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10220 is a remote code injection vulnerability affecting NousResearch hermes-agent versions up to 2026.4.30. The flaw resides in the _serve_plugin_skill/skill_view endpoint within tools/skills_tool.py, where user-supplied input is not properly sanitized before being processed. This allows an attacker to inject malicious payloads that manipulate backend logic, execution flow, or data handling. The vulnerability is classified under CWE-707 (Improper Neutralization) and CWE-74 (Injection), indicating inadequate input validation controls. The CVSS v3.1 score of 7.3 (HIGH) reflects the network accessibility, low complexity of exploitation, and the potential for unauthorized access and data manipulation.
Business impact
Exploitation of this vulnerability could allow an unauthenticated remote attacker to compromise systems running vulnerable versions of hermes-agent. Depending on the injection vector and application context, an attacker may exfiltrate sensitive data, modify application behavior, or disrupt service availability. Organizations relying on hermes-agent for critical workflows face elevated risk of data breach, service interruption, or unauthorized system access. The public disclosure of this vulnerability significantly increases the likelihood of opportunistic exploitation.
Affected systems
NousResearch hermes-agent versions up to and including 2026.4.30 are vulnerable. Verify the exact affected product range and any patched versions by consulting the vendor advisory. Any deployment or integration of hermes-agent within this version window is potentially at risk.
Exploitability
This vulnerability has a high exploitability profile. It requires no authentication, can be triggered over the network without user interaction, and the attack complexity is low. Because exploit code or proof-of-concept details have been publicly disclosed, attackers have reduced barriers to weaponization. The attack surface is immediate and widespread for any internet-facing or network-accessible hermes-agent instance.
Remediation
Organizations should immediately identify all instances of NousResearch hermes-agent in their environment and determine their version. Upgrade to a patched version released by the vendor—consult the vendor's security advisory for the specific minimum version that resolves CVE-2026-10220. If upgrading is not immediately possible, consider disabling or isolating the hermes-agent service, restricting network access via firewall rules, or implementing Web Application Firewall (WAF) rules to block malicious skill_view requests.
Patch guidance
Check the official NousResearch hermes-agent repository or security advisories for the patched release version. Apply the patch during a scheduled maintenance window. Before patching, document the current version and any custom configurations. Test the patch in a non-production environment to verify compatibility with your existing integrations. After patching, validate that plugin skills and skill_view functionality operate as expected.
Detection guidance
Monitor network traffic for HTTP requests to the skill_view endpoint with unusual or suspicious parameters. Look for payloads containing script injection patterns, SQL metacharacters, or command shell syntax in request bodies or query strings. Enable detailed logging on hermes-agent instances to capture skill_view invocations and their arguments. Use intrusion detection systems (IDS) or endpoint detection and response (EDR) tools to flag exploitation attempts. Correlate skill_view errors or exceptions with suspicious network activity to identify compromise attempts.
Why prioritize this
This vulnerability merits high priority remediation due to its CVSS score of 7.3, public exploit disclosure, complete lack of authentication requirements, network accessibility, and the vendor's failure to respond to early disclosure attempts. The combination of ease of exploitation and potential impact on confidentiality, integrity, and availability makes this a near-term risk that demands swift action.
Risk score, explained
The CVSS v3.1 score of 7.3 (HIGH severity) is driven by: (1) Network Attack Vector (AV:N)—no physical or local access required; (2) Low Attack Complexity (AC:L)—exploitation requires minimal sophistication; (3) No Privileges Required (PR:N)—unauthenticated access; (4) No User Interaction (UI:N)—attack succeeds without victim involvement; (5) Unchanged Scope (S:U)—impact is limited to the vulnerable component; and (6) Low impact on Confidentiality, Integrity, and Availability (C:L/I:L/A:L)—data exposure, modification, or service disruption. This score reflects moderate severity with significant ease of exploitation.
Frequently asked questions
Has this vulnerability been added to the CISA KEV catalog?
No. As of the latest update, CVE-2026-10220 is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, though public exploit disclosure has occurred. Monitor CISA's KEV list for any future addition.
What should I do if I cannot patch immediately?
Prioritize compensating controls: restrict network access to hermes-agent via firewall rules, disable the vulnerable skill_view functionality if operationally feasible, isolate affected systems from sensitive networks, and implement monitoring and alerting on skill_view endpoint activity. Plan a patch window as your primary remediation.
How can I confirm my hermes-agent version?
Check the hermes-agent application logs, package metadata, or API response headers for version information. Refer to the vendor's installation or deployment documentation for version verification steps specific to your deployment method (Docker, pip, source, etc.).
Is this vulnerability exploitable offline or only remotely?
This is a remote network vulnerability. An attacker requires network connectivity to the hermes-agent instance. If the service is not exposed to untrusted networks, your immediate risk is reduced, but patching remains essential.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Verify all patch versions, vendor advisories, and affected product ranges directly with NousResearch before deploying remediation. SEC.co makes no warranty regarding the completeness or accuracy of this guidance. Organizations are responsible for assessing risk within their specific environment and implementing appropriate controls. Exploit code or detailed attack vectors are intentionally not provided in this publication. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10221HIGHNousResearch hermes-agent Remote Code Injection Vulnerability
- CVE-2026-10210MEDIUMAstrBot 4.23.6 Prompt Injection Vulnerability
- CVE-2026-10222MEDIUMNousResearch hermes-agent Environment Variable Injection Vulnerability
- CVE-2026-10223MEDIUMNousResearch hermes-agent Injection Vulnerability – Exploit Available
- CVE-2026-10661MEDIUMInput Injection in blender-mcp — MEDIUM Severity Authentication Required
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel