CVE-2026-10220
Remote Code Execution in NousResearch Hermes-Agent
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nousresearch | hermes-agent | to 2026.4.30 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10220 is a prompt injection filter bypass vulnerability in the hermes-agent project, specifically in the skills_tool.py file. The vulnerability arises because the filter uses simple exact-string substring matching to detect malicious content in user-installed skills. Attackers can bypass this filter by inserting extra words, using synonyms, or adding whitespace between keywords, allowing crafted payloads to evade detection and enter the agent's context.
This bypass enables attackers to potentially take full control over the agent's behavior, including executing arbitrary commands, exfiltrating data, or overriding safety constraints. The root cause is that the detection logic relies on static exact literal strings and Python's 'in' operator for substring matching, instead of a more robust regex-based approach which exists but was not applied here.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized system access and data breaches. By bypassing the injection filter, attackers can execute arbitrary commands within the hermes-agent environment, potentially leading to full control over the agent.
Such control could allow attackers to exfiltrate sensitive data, manipulate system behavior, or disable safety mechanisms designed to protect the system and its data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the behavior of the hermes-agent, specifically the function _serve_plugin_skill/skill_view in the tools/skills_tool.py file, for signs of injection attempts. Since the vulnerability involves bypassing naive substring matching filters, detection should focus on identifying suspicious payloads that use multi-word variants, synonyms, or added whitespace to evade the filter.
One approach is to monitor logs or network traffic for unusual commands or data patterns that resemble injection payloads targeting the hermes-agent. Additionally, reviewing the source code or runtime behavior for the presence of the vulnerable substring matching logic can help confirm exposure.
No specific commands are provided in the resources, but general detection commands could include:
- Using grep or similar tools to search for the vulnerable function or patterns in the source code: grep -r '_serve_plugin_skill' /path/to/hermes-agent/
- Monitoring network traffic for suspicious payloads with tools like tcpdump or Wireshark filtering on the hermes-agent communication ports.
- Using Python scripts or regex tools to detect attempts to bypass the naive substring filter by looking for multi-word or spaced variants of known injection patterns.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the vulnerable hermes-agent versions (up to 2026.4.30) to prevent remote exploitation.
Since no patched versions are available at the time of disclosure, applying additional filtering or input validation using a hardened regex-based approach, as implemented in skills_guard.py, is recommended to replace the naive substring matching in skills_tool.py.
Monitoring and logging all interactions with the hermes-agent for suspicious activity can help detect exploitation attempts early.
If possible, isolate the hermes-agent in a restricted environment or sandbox to limit the impact of a potential compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass input filters and potentially gain full control over the hermes-agent, including executing arbitrary commands and exfiltrating data.
Such unauthorized access and data breaches could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure or manipulation.
Therefore, exploitation of this vulnerability may result in non-compliance with these standards due to compromised confidentiality, integrity, and availability of protected data.