CVE-2026-10222: NousResearch hermes-agent Environment Variable Injection Vulnerability
A vulnerability exists in NousResearch's hermes-agent software that allows attackers to inject malicious code through improper sanitization of environment variables. The flaw resides in the configuration parsing logic and can be exploited remotely, though successful exploitation requires substantial technical knowledge and effort. While a public exploit exists, the attack surface is limited by high complexity requirements. This is a medium-severity issue affecting versions up to 2026.4.30.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.6 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-707, CWE-74
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.30. Affected by this issue is the function _sanitize_env_lines of the file hermes_cli/config.py. The manipulation results in injection. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10222 is an injection vulnerability in the _sanitize_env_lines function within hermes_cli/config.py. The vulnerability stems from inadequate input validation when processing environment configuration data. An attacker can craft specially formed input to bypass sanitization controls, leading to injection of arbitrary code or commands. The vulnerability is classified under CWE-707 (Improper Neutralization) and CWE-74 (Improper Neutralization of Special Elements in Output), indicating the root cause involves failure to properly escape or neutralize untrusted data before use. Remote exploitation is possible, though the CVSS vector (AC:H) reflects the high attack complexity requirement, suggesting the attack chain demands specific preconditions or unusual configurations.
Business impact
The injection vulnerability could allow an authenticated or network-adjacent attacker to compromise the integrity and confidentiality of systems running vulnerable hermes-agent instances. Potential impacts include unauthorized access to sensitive data processed by the agent, execution of unintended commands within the application context, and potential lateral movement if hermes-agent operates with elevated privileges. Organizations relying on hermes-agent for automation or AI operations should assess their exposure, particularly if the software processes untrusted configuration inputs or runs in sensitive environments. The public availability of exploit code elevates the practical risk despite high complexity.
Affected systems
NousResearch hermes-agent versions up to and including 2026.4.30 are vulnerable. Verify your installed version and cross-reference against vendor advisories for the exact patch timeline and available updates. Organizations should inventory all hermes-agent deployments and their configurations, paying particular attention to systems accepting external configuration input or operating in network-accessible contexts.
Exploitability
While a public exploit has been released, real-world exploitation remains difficult due to high attack complexity (AC:H). This typically means the attacker must satisfy uncommon preconditions: specific software configurations, particular input formats, or timing windows. The attack does not require authentication or user interaction, making it potentially exploitable by remote unauthenticated parties if preconditions are met. The public exploit availability means defenders cannot assume obscurity will protect them, but the complexity barrier provides a window for patching before widespread abuse. Organizations should prioritize visibility into their hermes-agent configurations to determine if they meet exploit prerequisites.
Remediation
Update NousResearch hermes-agent to a patched version beyond 2026.4.30. Verify the specific patched version against the official NousResearch advisory, as this vulnerability has not received vendor acknowledgment or published guidance. Until patching is feasible, implement network segmentation to restrict access to hermes-agent endpoints, validate and sanitize all configuration inputs at the application boundary, and monitor for suspicious environment variable manipulation or injection patterns in logs.
Patch guidance
Check the NousResearch repository and official advisories for availability of version 2026.4.31 or later, which should contain the fix for the _sanitize_env_lines function. Verify patch release notes confirm remediation of CWE-707 and CWE-74 issues in environment variable handling. Test patches in a non-production environment before deployment, as injection vulnerability fixes may affect configuration parsing behavior. Note that the vendor has not publicly acknowledged this issue, so patch guidance may need to be sourced from community discussions, security research, or direct vendor contact via alternative channels.
Detection guidance
Monitor hermes-agent logs and system logs for anomalous environment variable manipulation, unusual configuration parsing errors, or unexpected command execution originating from the config.py module. Look for injection patterns such as escaped shell metacharacters, base64-encoded payloads, or special characters in configuration files or environment inputs. Implement application-level logging in hermes-agent if available to capture sanitization failures. Network-based detection should focus on unusual traffic patterns to hermes-agent endpoints, particularly requests with payloads targeting configuration endpoints. Host-based monitoring should flag unexpected process spawning or file access initiated by hermes-agent processes.
Why prioritize this
Although assigned a MEDIUM CVSS score (5.6), this vulnerability warrants prompt attention due to the combination of remote exploitability, public exploit availability, and the vendor's non-responsiveness. The high attack complexity provides a temporary reprieve, but organizations cannot rely on obscurity. Prioritize based on deployment scope: internet-facing hermes-agent instances or those handling untrusted configuration sources should be patched urgently. Lower-priority remediations can target isolated internal deployments with restricted configuration input.
Risk score, explained
The CVSS 3.1 score of 5.6 (MEDIUM) reflects a remote network attack requiring high complexity, no authentication or user interaction, and impact limited to confidentiality, integrity, and availability within the application's scope. The AV:N component indicates network-based exploitation is possible, but the AC:H requirement significantly constrains practical risk. The PR:N and UI:N factors favor the attacker. The score balances the theoretical exploitability against real-world barriers; organizations with hermes-agent exposed to untrusted inputs should treat this as HIGH priority despite the MEDIUM label. The public exploit and vendor non-responsiveness argue for faster remediation than the score alone suggests.
Frequently asked questions
Is hermes-agent widely used, and what is my organization's likely exposure?
NousResearch hermes-agent adoption is niche compared to mainstream development frameworks, but it is used in AI research, automation pipelines, and specialized cloud-native deployments. Exposure depends on whether your organization uses this tool and whether it processes untrusted configuration or operates in a network-accessible context. Conduct an inventory of all hermes-agent instances and their data flows.
The vendor did not respond to the disclosure. Should I wait for an official patch?
No. The vendor's non-responsiveness does not eliminate the risk. Pursue patching through community sources, the NousResearch GitHub repository, or direct outreach to the maintainers via alternative channels. If a vendor patch remains unavailable after a reasonable period, implement compensating controls (network segmentation, input validation, monitoring) and consider alternatives to hermes-agent if risk tolerance is low.
What does 'high attack complexity' mean for my team's response?
High complexity (AC:H) means the attacker must satisfy unusual preconditions: specific configuration states, rare input formats, or timing windows. This does not make exploitation impossible, but it limits the attacker's options and may slow weaponization. However, once an exploit is public and refined, the complexity barrier can erode. Assume sophisticated attackers or determined competitors may overcome it.
Can I safely run hermes-agent if I control all inputs and configurations?
If your deployment strictly controls configuration sources and does not accept external or user-supplied configuration, your risk is reduced but not eliminated. Assume that internal-only deployments still warrant patching, as insider threats or accidental misconfiguration remain possible. Network segregation and monitoring should complement controlled input practices.
This analysis is provided for informational purposes and reflects the state of public information as of the publication date. Verify all technical details, affected versions, and patch availability against official NousResearch advisories and your organization's specific deployment configuration. CVSS scores and severity ratings are provided by the source database; your organization's risk assessment should account for your unique exposure, asset criticality, and threat landscape. This document does not constitute legal or compliance advice. Consult your security team and vendor resources before making deployment decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10210MEDIUMAstrBot 4.23.6 Prompt Injection Vulnerability
- CVE-2026-10223MEDIUMNousResearch hermes-agent Injection Vulnerability – Exploit Available
- CVE-2026-10661MEDIUMInput Injection in blender-mcp — MEDIUM Severity Authentication Required
- CVE-2026-10220HIGHNousResearch hermes-agent Injection Vulnerability – Patch Guidance
- CVE-2026-10221HIGHNousResearch hermes-agent Remote Code Injection Vulnerability
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23