CVE-2026-10223
Memory Injection Vulnerability in NousResearch Hermes-Agent
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nousresearch | hermes-agent | to 2026.4.30 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in NousResearch hermes-agent allows attackers to inject malicious instructions into the agent's persistent memory, potentially leading to agent hijacking, data exfiltration, and persistent backdoors.
Such unauthorized data access and manipulation could compromise the confidentiality and integrity of sensitive information, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health-related data.
Because the exploit can be initiated remotely and persist across sessions, it increases the risk of prolonged unauthorized access, which is a significant concern under these standards.
Can you explain this vulnerability to me?
CVE-2026-10223 is a prompt injection vulnerability in the Hermes agent's memory tool, specifically in the function _scan_memory_content within tools/memory_tool.py. The vulnerability arises because the regex patterns used to detect injection payloads are too rigid and fail to catch payloads that insert extra words between certain keywords like "ignore" and "previous," "all," "above," or "prior."
This flaw allows attackers to bypass security scans and inject malicious instructions into the agent's persistent memory. These injected instructions can alter the agent's behavior permanently across all future sessions.
The attack can be initiated remotely through external interfaces such as API, Discord, or Slack by sending crafted messages that bypass the scanner and write payloads to MEMORY.md, which the agent loads on session start.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including agent hijacking, data exfiltration, and the establishment of persistent backdoors.
Because the injected instructions are stored in persistent memory and loaded on every session start, an attacker can maintain long-term control over the agent's behavior.
The ability to bypass security scans means that malicious payloads can be introduced without detection, increasing the risk of unauthorized actions and compromise of sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection into the Hermes agent's persistent memory via crafted messages that bypass the agent's security scans. Detection can focus on monitoring for unusual or crafted messages sent to the agent through its external interfaces such as API, Discord, or Slack.
Specifically, you can check the contents of the MEMORY.md file used by the agent, as injected payloads are written there and loaded on session start.
Commands to detect suspicious entries might include searching MEMORY.md for unexpected keywords or patterns that include the word "ignore" followed by additional words before keywords like "previous", "all", "above", or "prior".
- grep -iE 'ignore\s+\w+\s+(previous|all|above|prior)' MEMORY.md
- Monitor network traffic for unusual API calls or messages sent to Hermes agent endpoints, especially those containing injection-like payloads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Hermes agent's external interfaces (API, Discord, Slack) to trusted users only, to prevent attackers from sending crafted injection payloads.
Additionally, review and sanitize all inputs to the agent to ensure they do not contain injection patterns that exploit the flawed regex in tools/memory_tool.py.
Since the vendor has not responded and no patch is available, consider disabling or limiting the use of the vulnerable memory scanning functionality until a fix is released.
Regularly audit the MEMORY.md file for unauthorized modifications and remove any suspicious injected content.