CVE-2026-10222
Deferred Deferred - Pending Action
Command Injection in NousResearch Hermes-Agent

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.30. Affected by this issue is the function _sanitize_env_lines of the file hermes_cli/config.py. The manipulation results in injection. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10222
EUVD
EUVD-2026-33555
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nousresearch hermes_agent to 2026.4.30 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10222 is a high-severity configuration injection vulnerability in the Hermes agent's .env file parser, specifically in the _sanitize_env_lines() function within hermes_cli/config.py.

The flaw allows an attacker to inject arbitrary environment variables by embedding a known key name (e.g., OPENAI_BASE_URL=) inside a credential value (e.g., an API key). When a victim saves the crafted credential via normal CLI operations, the parser splits the line at the embedded key, creating a separate malicious environment variable in the .env file.

This injection persists across restarts because the split lines are written to disk during credential saves and removal operations. The root cause is the parser's use of naive substring matching (str.find()) without boundary checks, allowing key names to be matched anywhere in a line, including within values.

Impact Analysis

An attacker can hijack large language model (LLM) API calls by redirecting them to a proxy server, enabling full interception of prompts, responses, and credentials.

The attack requires no special privileges and can be triggered through social engineering, compromised OAuth tokens, or malicious integrations.

Because the injected environment variables persist across restarts, the attacker can maintain long-term control over the environment, potentially leading to data leakage, unauthorized access, and manipulation of sensitive operations.

Detection Guidance

This vulnerability can be detected by inspecting the .env files used by the hermes-agent for suspicious environment variable injections. Specifically, look for lines where known key names such as 'OPENAI_BASE_URL=' appear embedded within credential values, which indicates manipulation.

Since the vulnerability involves the _sanitize_env_lines() function improperly parsing environment variables, you can search for suspicious entries in the .env file that contain unexpected or duplicated keys.

  • Use grep or similar commands to find suspicious environment variable injections, for example: grep -E 'OPENAI_BASE_URL=' path/to/.env
  • Check for multiple occurrences or malformed lines in the .env file that could indicate injection: grep -n 'OPENAI_BASE_URL=' path/to/.env
  • Monitor network traffic for unusual proxy connections or API calls redirected to unknown servers, as the exploit can hijack LLM API calls.
Mitigation Strategies

Immediate mitigation steps include carefully auditing and sanitizing the .env files used by the hermes-agent to remove any injected or suspicious environment variables.

Since no patched versions are currently available, avoid saving credentials or environment variables that may contain embedded key names or suspicious substrings.

Restrict access to the hermes-agent configuration files and monitor for unauthorized changes.

Educate users to avoid social engineering attacks that could lead to malicious credential injection.

Monitor network traffic for unusual API call redirections or proxy usage that could indicate exploitation.

Compliance Impact

This vulnerability allows an attacker to inject arbitrary environment variables into the Hermes agent's configuration, enabling interception of API calls, including prompts, responses, and credentials.

Such interception and potential exposure of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, exploitation of this vulnerability may compromise compliance with these standards by exposing confidential data and failing to maintain adequate security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart