MEDIUM 5.3

CVE-2026-10548: Improper Authentication in NousResearch hermes-agent Credential Synchronization

NousResearch's hermes-agent contains a flaw in how it synchronizes Anthropic API credentials from local credential files. An attacker with local access can exploit this to bypass authentication controls, potentially gaining unauthorized access to Anthropic services or resources protected by those credentials. The vulnerability affects versions up to 2026.4.23, and exploit code has already been made public, increasing the practical risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-287
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.23. This affects the function _sync_anthropic_entry_from_credentials_file of the file agent/credential_pool.py of the component Credential Pool Synchronization. The manipulation results in improper authentication. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10548 is an improper authentication vulnerability (CWE-287) in the credential pool synchronization component of hermes-agent. Specifically, the _sync_anthropic_entry_from_credentials_file function in agent/credential_pool.py fails to properly validate or secure credentials during the synchronization process. An attacker with local system access can manipulate this process to bypass intended authentication mechanisms. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects a local attack surface requiring valid user privileges but no user interaction.

Business impact

Organizations using hermes-agent in environments where local system access is possible face credential compromise risk. If an attacker gains local access, they could extract or impersonate Anthropic API credentials, potentially leading to unauthorized API calls, data exfiltration, or service abuse under compromised credentials. The business impact depends on the sensitivity of workloads and data flowing through Anthropic-authenticated services integrated with hermes-agent.

Affected systems

NousResearch hermes-agent versions up to and including 2026.4.23 are affected. The vulnerability resides in the credential pool synchronization function that handles Anthropic API credential imports. Any deployment using this component for credential management is at risk if local attacker access is possible (e.g., shared systems, containers, or multi-tenant environments).

Exploitability

Exploitation requires local access and an existing user account on the system (low privilege sufficient). The low complexity (AC:L) means the attack does not require special conditions or timing. Public exploit code is available, reducing the barrier to weaponization. This positions the vulnerability as moderately practical for insider threats and post-compromise lateral movement scenarios.

Remediation

Upgrade hermes-agent to a patched version released after 2026.4.23. Verify the specific patch version in the NousResearch advisory or release notes. Until patching is possible, restrict local system access and implement strong access controls on machines running hermes-agent. Isolate credential file permissions and monitor for unauthorized credential access attempts.

Patch guidance

Check NousResearch's official repository and security advisories for patched versions released after 2026.4.23. Apply the patch during a maintenance window and test in a staging environment to ensure no compatibility issues with your Anthropic integrations. Verify that credential synchronization behaves correctly post-patch by testing API authentication flows.

Detection guidance

Monitor filesystem access to credential files (agent/credential_pool.py and related credential storage paths) for unexpected read or modification events, especially by non-privileged users. Log and alert on failed authentication attempts following credential synchronization operations. Check system logs for unauthorized local access and privilege escalation attempts that might precede credential tampering.

Why prioritize this

While the CVSS score is MEDIUM (5.3), the public availability of exploit code and the unresponsiveness of the vendor elevate practical risk. Prioritize patching in systems where local access controls are weak or where multi-user/multi-tenant scenarios exist. Organizations in high-trust, single-user environments face lower immediate risk but should still plan upgrades.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects local-only attack vector, requirement for existing user privileges, and limited scope to a single system. However, the public exploit availability and vendor non-responsiveness suggest the risk may escalate faster than the base score indicates. This vulnerability should be treated as higher priority than a generic MEDIUM score if you operate in multi-user or shared-infrastructure environments.

Frequently asked questions

Do I need local credentials to exploit this?

Yes. The attacker must have a valid local user account on the system running hermes-agent. They cannot remotely exploit this vulnerability; it requires local command-line or process access.

What happens if an attacker compromises Anthropic credentials through this flaw?

They could make unauthorized API calls to Anthropic services using your credentials, potentially incurring costs, accessing sensitive data processed via the API, or disrupting services that depend on authenticated Anthropic access.

Why didn't the vendor respond to the disclosure?

NousResearch did not acknowledge or engage with the disclosure according to the CVE record. This may delay official patches and increases reliance on community-driven fixes or workarounds.

Is this vulnerability being actively exploited in the wild?

Public exploit code exists, but there is no confirmed widespread exploitation data. However, local-privilege scenarios (insider threats, container escape, post-compromise lateral movement) could leverage this vulnerability opportunistically.

This analysis is based on publicly available CVE data as of the publication date. Verify all patch versions, affected product ranges, and remediation steps against official NousResearch advisories and release notes. Exploit availability and threat landscape may change; monitor security feeds for updates. This content is for informational purposes and should not replace your organization's own vulnerability assessment and risk management processes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).