CVE-2026-10223: NousResearch hermes-agent Injection Vulnerability – Exploit Available
NousResearch's hermes-agent software contains an injection vulnerability in its memory scanning tool that allows authenticated users to inject malicious input. An attacker with valid credentials can exploit this flaw remotely to manipulate the application's memory handling logic. The vulnerability affects all versions up to 2026.4.30, and exploit code has already been publicly disclosed, raising the practical risk despite a moderate CVSS score.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-707, CWE-74
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in NousResearch hermes-agent up to 2026.4.30. This affects the function _scan_memory_content of the file tools/memory_tool.py. This manipulation causes injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10223 is an injection vulnerability (CWE-707, CWE-74) in the _scan_memory_content function within tools/memory_tool.py of hermes-agent. The flaw allows authenticated users (CVSS vector PR:L) to inject arbitrary input that is processed without sufficient sanitization, leading to uncontrolled command or data manipulation. The vulnerability is remotely exploitable (AV:N) and requires no user interaction, making it straightforward to weaponize once access credentials are obtained. Public exploit availability significantly lowers the barrier to exploitation.
Business impact
Organizations deploying hermes-agent face the risk of data exfiltration, integrity compromise, and potential denial-of-service through an authenticated attack surface. The vulnerability could be leveraged by insider threats or attackers who compromise user credentials to manipulate agent memory, alter decision-making logic, or inject malicious directives into autonomous workflows. In production environments managing sensitive tasks, this poses material operational and compliance risk.
Affected systems
NousResearch hermes-agent versions up to and including 2026.4.30 are confirmed vulnerable. The vendor did not provide patched version information prior to public disclosure, so version status beyond 2026.4.30 should be verified against NousResearch's official advisory. Any deployment of the affected version range, particularly in environments where user authentication is implemented, requires immediate assessment.
Exploitability
This vulnerability has a practical exploitability advantage: public exploit code is available, authenticated access is required but often feasible in compromised or insider-threat scenarios, and no user interaction is needed for successful exploitation. The remote network attack vector (AV:N) combined with low attack complexity (AC:L) means exploitation can be automated and scaled. While the CVSS score of 6.3 (Medium) reflects the authentication requirement, the presence of public exploits and the injection primitive's versatility substantially increase real-world risk.
Remediation
Immediate action: Identify all instances of hermes-agent in your environment and verify the installed version against the affected range (≤2026.4.30). Contact NousResearch directly for patched version availability and upgrade guidance, as the vendor has not yet published a public advisory or patch information. In the interim, enforce strict access controls limiting hermes-agent credential distribution, monitor memory_tool.py invocations for suspicious input patterns, and isolate hermes-agent instances from critical data pipelines if immediate patching is not feasible.
Patch guidance
Check NousResearch's official channels (GitHub repository, security advisory page, or direct vendor communication) for a patched version superseding 2026.4.30. Upgrade as soon as a fix is confirmed and tested in a non-production environment. Given the vendor's lack of early response to disclosure, monitor for community-driven patches or forks if an official patch is significantly delayed. Test all upgrades thoroughly to ensure memory_tool.py functionality remains intact.
Detection guidance
Search logs for authentication events followed by invocations of tools/memory_tool.py, especially calls to _scan_memory_content with unusual or encoded input. Monitor process execution and file modifications initiated by hermes-agent processes. Implement input validation logging at the application level to capture injection attempts. Hunt for malformed or special-character-heavy arguments to memory scanning functions, and correlate suspicious patterns with credential compromise or lateral movement indicators.
Why prioritize this
Although the CVSS score is Medium (6.3), the combination of public exploit availability, authenticated but often-achievable credential compromise vectors, and the injection vulnerability's broad potential impact (confidentiality, integrity, availability) warrants prompt prioritization. Organizations with active hermes-agent deployments should address this within 30 days, particularly if the system interfaces with sensitive decision-making or data access.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects: remote network attack vector (AV:N), low attack complexity (AC:L), low authentication requirement (PR:L), no scope change (S:U), and limited but real impact to confidentiality, integrity, and availability (C:L, I:L, A:L). However, this score does not account for the public availability of exploit code or the likely prevalence of weak credential management in many organizations. Real-world risk should be assessed as elevated relative to the base score for any environment with distributed authentication.
Frequently asked questions
What happens if an attacker exploits this vulnerability?
An authenticated attacker can inject malicious input into hermes-agent's memory scanning function, potentially reading sensitive data from memory, modifying agent logic or outputs, or disrupting the agent's normal operation. The impact depends on the agent's role in your architecture and what data or systems it can access.
Do I need valid credentials to exploit this?
Yes, the CVSS vector indicates authentication is required (PR:L). However, credentials can be obtained through phishing, lateral movement, or by users with legitimate but lower-privileged access attempting unauthorized functions. Any organization with multiple hermes-agent users should assume credential compromise as a realistic threat model.
Is there a patch available from NousResearch?
As of the last update, NousResearch did not respond to early vendor contact. No official patch version or advisory has been published. Contact NousResearch directly or monitor their repository for updates. Third-party or community patches may emerge; evaluate these carefully against your security policies.
What's the difference between the CVSS score and the actual risk?
The CVSS score of 6.3 is a standardized baseline. Real risk is higher due to public exploit availability, the relative ease of obtaining user credentials in many organizations, and the versatility of injection attacks. Use CVSS as one input to prioritization, not the sole decision driver.
This analysis is provided for informational purposes. SEC.co does not represent NousResearch or assume responsibility for vendor advisory accuracy or patch timeline. Readers should verify all version numbers, patch availability, and technical details against official vendor sources and their own system configurations. No exploit code, proof-of-concept instructions, or weaponization guidance is provided herein. Organizations should conduct their own risk assessment and engage qualified security professionals before implementing any remediation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10210MEDIUMAstrBot 4.23.6 Prompt Injection Vulnerability
- CVE-2026-10222MEDIUMNousResearch hermes-agent Environment Variable Injection Vulnerability
- CVE-2026-10661MEDIUMInput Injection in blender-mcp — MEDIUM Severity Authentication Required
- CVE-2026-10220HIGHNousResearch hermes-agent Injection Vulnerability – Patch Guidance
- CVE-2026-10221HIGHNousResearch hermes-agent Remote Code Injection Vulnerability
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23