CVE-2026-10221
Remote Code Injection in NousResearch Hermes-Agent
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nousresearch | hermes-agent | to 0.12.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10221 is a prompt injection vulnerability in the hermes-agent software, specifically affecting versions 0.12.0 and earlier.
The flaw allows an attacker to manipulate the agent's behavior by injecting malicious payloads into todo list items.
When the agent's context window overflows and triggers compression, the raw content of these todo items is appended as a user-role message at the end of the compressed conversation.
Since large language models prioritize the final user turn, this injected payload can override prior system instructions, enabling arbitrary command execution, data exfiltration, or tool abuse.
The vulnerability stems from two key issues: the TodoStore.format_for_injection() function concatenates unsanitized todo item content without escaping, and the _compress_context() method directly appends this raw content as a user message during compression.
An attacker can exploit this by creating a malicious todo item through the built-in todo tool, which then persists across compression cycles and gains control over the agent's behavior.
How can this vulnerability impact me? :
This vulnerability enables full instruction hijacking of the hermes-agent, allowing attackers to bypass safety directives.
Attackers can read sensitive files, execute unauthorized commands, or abuse tools integrated with the agent.
The exploit is remotely initiable and publicly available, increasing the risk of real-world attacks.
All default deployments where the todo tool and context compression are enabled (CLI, API server, and gateway platforms) are affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection via malicious todo list items in the hermes-agent software, specifically exploiting the _compress_context function in run_agent.py. Detection involves identifying suspicious or unexpected todo items that contain injection payloads.
Since the exploit uses specially crafted todo items that override system instructions, you can inspect the todo list content for unusual or suspicious commands or payloads.
- Check the todo list items stored or managed by the hermes-agent for suspicious content, especially payloads that include commands like 'Ignore all previous instructions' or shell commands such as 'cat /etc/passwd'.
- Use commands or scripts to extract and review the todo items from the agent's storage or logs.
- Monitor network traffic for unusual API calls or CLI commands that create or modify todo items with suspicious content.
Specific commands depend on your deployment and how todo items are stored or accessed, but generally, searching for keywords or suspicious patterns in todo items is recommended.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the hermes-agent todo tool to trusted users only, as the vulnerability allows remote injection via todo items.
Since no official patch exists, consider disabling or limiting the use of the todo tool and context compression features in the hermes-agent until a fix is available.
Monitor and audit todo items regularly to detect and remove any malicious payloads.
Implement network-level controls to restrict remote access to the hermes-agent interfaces that allow todo item creation or modification.
Consider applying additional input sanitization or filtering on todo item content if possible, to prevent injection of malicious payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary commands, read sensitive files, and exfiltrate data by injecting malicious payloads into the hermes-agent's todo items. This can lead to unauthorized access and disclosure of sensitive information.
Such unauthorized data access and potential data breaches could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.
Since the vulnerability enables full instruction hijacking and bypassing of safety directives, it increases the risk of data compromise, which may result in violations of these regulatory requirements.