CVE-2026-10223
Deferred Deferred - Pending Action
Memory Injection Vulnerability in NousResearch Hermes-Agent

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A weakness has been identified in NousResearch hermes-agent up to 2026.4.30. This affects the function _scan_memory_content of the file tools/memory_tool.py. This manipulation causes injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10223
EUVD
EUVD-2026-33556
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nousresearch hermes-agent to 2026.4.30 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10223 is a prompt injection vulnerability in the Hermes agent's memory tool, specifically in the function _scan_memory_content within tools/memory_tool.py. The vulnerability arises because the regex patterns used to detect injection payloads are too rigid and fail to catch payloads that insert extra words between certain keywords like "ignore" and "previous," "all," "above," or "prior."

This flaw allows attackers to bypass security scans and inject malicious instructions into the agent's persistent memory. These injected instructions can alter the agent's behavior permanently across all future sessions.

The attack can be initiated remotely through external interfaces such as API, Discord, or Slack by sending crafted messages that bypass the scanner and write payloads to MEMORY.md, which the agent loads on session start.

Compliance Impact

The vulnerability in NousResearch hermes-agent allows attackers to inject malicious instructions into the agent's persistent memory, potentially leading to agent hijacking, data exfiltration, and persistent backdoors.

Such unauthorized data access and manipulation could compromise the confidentiality and integrity of sensitive information, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health-related data.

Because the exploit can be initiated remotely and persist across sessions, it increases the risk of prolonged unauthorized access, which is a significant concern under these standards.

Impact Analysis

This vulnerability can have serious impacts including agent hijacking, data exfiltration, and the establishment of persistent backdoors.

Because the injected instructions are stored in persistent memory and loaded on every session start, an attacker can maintain long-term control over the agent's behavior.

The ability to bypass security scans means that malicious payloads can be introduced without detection, increasing the risk of unauthorized actions and compromise of sensitive data.

Detection Guidance

This vulnerability involves injection into the Hermes agent's persistent memory via crafted messages that bypass the agent's security scans. Detection can focus on monitoring for unusual or crafted messages sent to the agent through its external interfaces such as API, Discord, or Slack.

Specifically, you can check the contents of the MEMORY.md file used by the agent, as injected payloads are written there and loaded on session start.

Commands to detect suspicious entries might include searching MEMORY.md for unexpected keywords or patterns that include the word "ignore" followed by additional words before keywords like "previous", "all", "above", or "prior".

  • grep -iE 'ignore\s+\w+\s+(previous|all|above|prior)' MEMORY.md
  • Monitor network traffic for unusual API calls or messages sent to Hermes agent endpoints, especially those containing injection-like payloads.
Mitigation Strategies

Immediate mitigation steps include restricting access to the Hermes agent's external interfaces (API, Discord, Slack) to trusted users only, to prevent attackers from sending crafted injection payloads.

Additionally, review and sanitize all inputs to the agent to ensure they do not contain injection patterns that exploit the flawed regex in tools/memory_tool.py.

Since the vendor has not responded and no patch is available, consider disabling or limiting the use of the vulnerable memory scanning functionality until a fix is released.

Regularly audit the MEMORY.md file for unauthorized modifications and remove any suspicious injected content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart