CVE-2026-7397
Symlink Following in NousResearch Hermes-Agent
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nousresearch | hermes-agent | 0.8.0 |
| nousresearch | hermes-agent | 0.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7397 is a security flaw in the NousResearch hermes-agent version 0.8.0 affecting the _check_sensitive_path function in tools/file_tools.py. On macOS, system directories like /etc are symlinks to /private/etc, but the path check only blocked writes to /etc/ and not to /private/etc/. Because of this, the software's protection mechanism could be bypassed, allowing unauthorized writes to sensitive system files such as /etc/hosts by following symlinks.
The vulnerability requires local access to exploit and involves the manipulation of file paths to bypass write protections. The issue was fixed by updating the path check to validate both the resolved realpath and the normalized original path, and by adding macOS-specific sensitive path prefixes like /private/etc/ and /private/var/ to the blocklist.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access to bypass protections and write to sensitive system files on macOS, such as /etc/hosts, /etc/sudoers, and /etc/passwd. Such unauthorized writes could lead to privilege escalation, DNS hijacking, or other malicious activities if the hermes-agent runs with sufficient permissions.
The exploit enables attackers to modify critical system configurations, potentially compromising system integrity and security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a symlink bypass in the hermes-agent software on macOS, allowing unauthorized writes to sensitive system files like /etc/hosts by exploiting path resolution issues.
To detect if your system is vulnerable, you can check the version of hermes-agent installed. Versions prior to 0.9.0 are affected.
You can also attempt to verify if the _check_sensitive_path function properly blocks writes to sensitive paths by testing write attempts to files such as /etc/hosts or /private/etc/hosts using hermes-agent's write_file or patch tools.
Suggested commands to check the installed version and presence of the vulnerable code include:
- Check hermes-agent version: `hermes-agent --version` or check installed package version via your package manager.
- Search for the vulnerable function in the installed code: `grep -r '_check_sensitive_path' /path/to/hermes-agent/`.
- Attempt a controlled write test to a sensitive path (only if you have local access and permissions), for example using hermes-agent's API or CLI to write to /etc/hosts and observe if it is blocked.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade hermes-agent to version 0.9.0 or later, which includes the patch that properly handles symlink resolution and blocks writes to sensitive system paths on macOS.
If upgrading immediately is not possible, restrict local access to the hermes-agent to trusted users only, since the exploit requires local access.
Additionally, review and limit the permissions of the hermes-agent process to prevent it from having write access to sensitive system files.
Monitor for any unauthorized attempts to write to sensitive paths such as /etc/hosts, /etc/passwd, or their symlinked equivalents on macOS.
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in the NousResearch hermes-agent version 0.8.0, specifically in the _check_sensitive_path function within the tools/file_tools.py file.
The flaw allows for symlink following manipulation, which means an attacker with local access can exploit symbolic link behavior to potentially perform unauthorized actions.
The exploit code for this vulnerability has been publicly released, increasing the risk of attacks.
Upgrading to version 0.9.0 of the hermes-agent mitigates this issue.
How can this vulnerability impact me? :
This vulnerability requires local access to be exploited, meaning an attacker must have some level of access to the affected system.
Successful exploitation can lead to integrity and availability impacts, as indicated by the CVSS scores, potentially allowing an attacker to manipulate files or disrupt service.
While confidentiality is not affected, the integrity and availability of the system or data could be compromised.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the affected component, NousResearch hermes-agent, from version 0.8.0 to version 0.9.0.
This upgrade includes a patch identified as 311dac197145e19e07df68feba2cd55d896a3cd1 that fixes the security flaw in the _check_sensitive_path function.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized writes to sensitive system files on macOS due to a symlink bypass in path checking. This could potentially enable privilege escalation or unauthorized modification of system configuration files if the agent runs with sufficient permissions.
Such unauthorized access or modification of system files could lead to violations of security requirements in common standards and regulations like GDPR or HIPAA, which mandate protection of system integrity and prevention of unauthorized access to sensitive data or system components.
However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a symlink bypass in the path write protection of the hermes-agent on macOS systems, allowing unauthorized writes to sensitive system files like /etc/hosts by exploiting the symlink from /etc to /private/etc.
To detect if your system is vulnerable, you can check the version of the hermes-agent installed. Versions prior to 0.9.0 are affected and should be upgraded.
Since the vulnerability requires local access and involves file path checks, detection can include verifying if the _check_sensitive_path function properly blocks writes to both /etc/ and /private/etc/ paths.
You can attempt to test the vulnerability by trying to write to sensitive files such as /etc/hosts or /private/etc/hosts using the hermes-agent tools (write_file or patch) and observe if the write is blocked.
Suggested commands to check the hermes-agent version and presence of the vulnerable code:
- Check hermes-agent version: `hermes-agent --version` or check installed package version.
- Search for the vulnerable function in the installed files: `grep -r '_check_sensitive_path' /path/to/hermes-agent/`
- Attempt a controlled write test to a sensitive file (only if safe and authorized): use hermes-agent's write_file or patch commands to write to /etc/hosts or /private/etc/hosts and verify if the operation is blocked.
Monitoring logs or alerts for unauthorized write attempts to sensitive paths on macOS can also help detect exploitation attempts.