CVE-2026-7397
Received Received - Intake
Symlink Following in NousResearch Hermes-Agent

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.9.0 is able to mitigate this issue. The patch is identified as 311dac197145e19e07df68feba2cd55d896a3cd1. Upgrading the affected component is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7397
EUVD
EUVD-2026-26273
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nousresearch hermes-agent 0.8.0
nousresearch hermes-agent 0.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw found in the NousResearch hermes-agent version 0.8.0, specifically in the _check_sensitive_path function within the tools/file_tools.py file.

The flaw allows for symlink following manipulation, which means an attacker with local access can exploit symbolic link behavior to potentially perform unauthorized actions.

The exploit code for this vulnerability has been publicly released, increasing the risk of attacks.

Upgrading to version 0.9.0 of the hermes-agent mitigates this issue.

Impact Analysis

This vulnerability requires local access to be exploited, meaning an attacker must have some level of access to the affected system.

Successful exploitation can lead to integrity and availability impacts, as indicated by the CVSS scores, potentially allowing an attacker to manipulate files or disrupt service.

While confidentiality is not affected, the integrity and availability of the system or data could be compromised.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the affected component, NousResearch hermes-agent, from version 0.8.0 to version 0.9.0.

This upgrade includes a patch identified as 311dac197145e19e07df68feba2cd55d896a3cd1 that fixes the security flaw in the _check_sensitive_path function.

Compliance Impact

The vulnerability allows unauthorized writes to sensitive system files on macOS due to a symlink bypass in path checking. This could potentially enable privilege escalation or unauthorized modification of system configuration files if the agent runs with sufficient permissions.

Such unauthorized access or modification of system files could lead to violations of security requirements in common standards and regulations like GDPR or HIPAA, which mandate protection of system integrity and prevention of unauthorized access to sensitive data or system components.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.

Detection Guidance

This vulnerability involves a symlink bypass in the path write protection of the hermes-agent on macOS systems, allowing unauthorized writes to sensitive system files like /etc/hosts by exploiting the symlink from /etc to /private/etc.

To detect if your system is vulnerable, you can check the version of the hermes-agent installed. Versions prior to 0.9.0 are affected and should be upgraded.

Since the vulnerability requires local access and involves file path checks, detection can include verifying if the _check_sensitive_path function properly blocks writes to both /etc/ and /private/etc/ paths.

You can attempt to test the vulnerability by trying to write to sensitive files such as /etc/hosts or /private/etc/hosts using the hermes-agent tools (write_file or patch) and observe if the write is blocked.

Suggested commands to check the hermes-agent version and presence of the vulnerable code:

  • Check hermes-agent version: `hermes-agent --version` or check installed package version.
  • Search for the vulnerable function in the installed files: `grep -r '_check_sensitive_path' /path/to/hermes-agent/`
  • Attempt a controlled write test to a sensitive file (only if safe and authorized): use hermes-agent's write_file or patch commands to write to /etc/hosts or /private/etc/hosts and verify if the operation is blocked.

Monitoring logs or alerts for unauthorized write attempts to sensitive paths on macOS can also help detect exploitation attempts.

Executive Summary

CVE-2026-7397 is a security flaw in the NousResearch hermes-agent version 0.8.0 affecting the _check_sensitive_path function in tools/file_tools.py. On macOS, system directories like /etc are symlinks to /private/etc, but the path check only blocked writes to /etc/ and not to /private/etc/. Because of this, the software's protection mechanism could be bypassed, allowing unauthorized writes to sensitive system files such as /etc/hosts by following symlinks.

The vulnerability requires local access to exploit and involves the manipulation of file paths to bypass write protections. The issue was fixed by updating the path check to validate both the resolved realpath and the normalized original path, and by adding macOS-specific sensitive path prefixes like /private/etc/ and /private/var/ to the blocklist.

Impact Analysis

This vulnerability can allow an attacker with local access to bypass protections and write to sensitive system files on macOS, such as /etc/hosts, /etc/sudoers, and /etc/passwd. Such unauthorized writes could lead to privilege escalation, DNS hijacking, or other malicious activities if the hermes-agent runs with sufficient permissions.

The exploit enables attackers to modify critical system configurations, potentially compromising system integrity and security.

Detection Guidance

This vulnerability involves a symlink bypass in the hermes-agent software on macOS, allowing unauthorized writes to sensitive system files like /etc/hosts by exploiting path resolution issues.

To detect if your system is vulnerable, you can check the version of hermes-agent installed. Versions prior to 0.9.0 are affected.

You can also attempt to verify if the _check_sensitive_path function properly blocks writes to sensitive paths by testing write attempts to files such as /etc/hosts or /private/etc/hosts using hermes-agent's write_file or patch tools.

Suggested commands to check the installed version and presence of the vulnerable code include:

  • Check hermes-agent version: `hermes-agent --version` or check installed package version via your package manager.
  • Search for the vulnerable function in the installed code: `grep -r '_check_sensitive_path' /path/to/hermes-agent/`.
  • Attempt a controlled write test to a sensitive path (only if you have local access and permissions), for example using hermes-agent's API or CLI to write to /etc/hosts and observe if it is blocked.
Mitigation Strategies

The primary and recommended mitigation step is to upgrade hermes-agent to version 0.9.0 or later, which includes the patch that properly handles symlink resolution and blocks writes to sensitive system paths on macOS.

If upgrading immediately is not possible, restrict local access to the hermes-agent to trusted users only, since the exploit requires local access.

Additionally, review and limit the permissions of the hermes-agent process to prevent it from having write access to sensitive system files.

Monitor for any unauthorized attempts to write to sensitive paths such as /etc/hosts, /etc/passwd, or their symlinked equivalents on macOS.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart