CVE-2026-10221: NousResearch hermes-agent Remote Code Injection Vulnerability
A code injection vulnerability exists in NousResearch's hermes-agent software, affecting versions up to 0.12.0. The flaw resides in the context compression function and allows remote attackers to inject malicious code without requiring authentication or user interaction. Public exploit code is available, increasing the practical risk of exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-707, CWE-74
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in NousResearch hermes-agent up to 0.12.0. Affected by this vulnerability is the function _compress_context of the file run_agent.py. The manipulation leads to injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10221 is a remote injection vulnerability in the _compress_context function of run_agent.py within NousResearch hermes-agent. The vulnerability stems from improper input handling that fails to sanitize user-supplied data before processing. Attackers can craft malicious payloads that execute arbitrary code on affected systems. The attack vector is network-based with low complexity and requires no privileges or user interaction, making it straightforward to exploit. The vulnerability impacts confidentiality, integrity, and availability of affected systems.
Business impact
Organizations deploying hermes-agent face direct risk of unauthorized code execution, potentially leading to data theft, system compromise, lateral movement, and service disruption. The availability of public exploits significantly shortens the window between disclosure and active attacks. Teams relying on this agent for automation or AI workflows should treat this as a critical operational security issue requiring immediate attention.
Affected systems
NousResearch hermes-agent versions up to and including 0.12.0 are vulnerable. Verify your installed version immediately. Deployment environments vary; any system running a vulnerable hermes-agent instance over network-accessible infrastructure is at risk.
Exploitability
Exploitation is straightforward due to network accessibility, lack of authentication requirements, and low attack complexity. Public exploit code is already circulating, removing technical barriers to attack. Threat actors can weaponize this vulnerability with minimal effort, and active exploitation should be anticipated.
Remediation
Upgrade hermes-agent to a version newer than 0.12.0 once patched versions are released by NousResearch. The vendor was notified early but has not responded; verify the vendor advisory for confirmed patch availability before proceeding. If no patch exists, implement network segmentation to restrict access to hermes-agent deployments and consider disabling the vulnerable functionality if business logic permits.
Patch guidance
Check NousResearch's official repository and security advisories for patched versions exceeding 0.12.0. Apply patches immediately upon availability. Prior to patching, implement temporary compensating controls: restrict network access to hermes-agent instances using firewall rules or network segmentation, limit deployment to isolated or air-gapped environments where possible, and monitor for suspicious context compression function calls. Document your patch timeline and track all systems requiring updates.
Detection guidance
Monitor for suspicious network requests to hermes-agent endpoints, especially those containing unusual or malformed parameters intended for the _compress_context function. Log and alert on unexpected code execution patterns within agent processes. Analyze inbound traffic for injection payloads targeting the vulnerable function. Endpoint detection and response (EDR) tools should flag abnormal process behavior stemming from hermes-agent instances. Check application logs for errors or exceptions in context compression operations that may indicate exploitation attempts.
Why prioritize this
This vulnerability warrants immediate prioritization due to its HIGH CVSS score (7.3), network-based attack vector, absence of authentication or user interaction requirements, and publicly available exploit code. The vendor's lack of response creates uncertainty around patch timelines, necessitating rapid internal remediation. Any exposure of hermes-agent to untrusted networks materially increases organizational risk.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects the combination of remote network accessibility, low attack complexity, no authentication requirement, no user interaction needed, and impact across all three security pillars: confidentiality, integrity, and availability. Public exploit availability elevates practical risk beyond the base score. Organizations should treat this as a high-priority vulnerability requiring action within days, not weeks.
Frequently asked questions
What exactly can an attacker do if they exploit this vulnerability?
An attacker can execute arbitrary code on the affected system with the privileges of the hermes-agent process. This may enable data exfiltration, installation of persistence mechanisms, lateral movement to other systems on the network, or denial of service. The scope and impact depend on what the hermes-agent process can access and what trust relationships exist in your environment.
Do I need to wait for a vendor patch before taking action?
No. While a vendor patch is the long-term solution, you should immediately implement interim controls: restrict network access to hermes-agent deployments, segment affected systems, and monitor for exploitation attempts. Given the vendor's lack of response, you cannot rely on a rapid patch. Isolation and monitoring are essential now.
How can I tell if my systems have been compromised by this exploit?
Look for unexpected process spawning or code execution within your hermes-agent process tree, unusual outbound network connections, modifications to files in unexpected locations, and log entries indicating injection attempts targeting _compress_context. Enable verbose logging on affected systems and correlate with security tool alerts. Forensic analysis by your security team may be necessary if compromise is suspected.
Is there a workaround if I cannot upgrade immediately?
A proper functional workaround does not exist, but mitigations include: disabling hermes-agent entirely if business logic allows, running it in an isolated container with restricted permissions and network access, or placing it behind a Web Application Firewall (WAF) configured to block injection attempts. These are temporary measures; upgrade to a patched version as soon as available.
This analysis is based on publicly available vulnerability data as of the publication date. Version numbers, patch availability, and vendor response status reflect information current at analysis time and may change. Organizations should verify patch availability directly with NousResearch and cross-reference official advisories before implementing remediation. SEC.co provides this intelligence for situational awareness; your organization's risk assessment and response decisions remain your responsibility. No warranty is provided regarding exploit effectiveness, detection accuracy, or patch effectiveness in specific environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10220HIGHNousResearch hermes-agent Injection Vulnerability – Patch Guidance
- CVE-2026-10210MEDIUMAstrBot 4.23.6 Prompt Injection Vulnerability
- CVE-2026-10222MEDIUMNousResearch hermes-agent Environment Variable Injection Vulnerability
- CVE-2026-10223MEDIUMNousResearch hermes-agent Injection Vulnerability – Exploit Available
- CVE-2026-10661MEDIUMInput Injection in blender-mcp — MEDIUM Severity Authentication Required
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel