Description
A vulnerability was identified in NousResearch hermes-agent up to 0.12.0. Affected by this vulnerability is the function _compress_context of the file run_agent.py. The manipulation leads to injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the _compress_context function of NousResearch hermes-agent’s run_agent.py, allowing attackers to inject malicious content. The injection occurs remotely and can alter the agent’s processing logic; the exact consequences are not fully documented in the CVE, but the ability to inject indicates a potential for unintended behavior or execution of unwanted code.

Affected Systems

The flaw affects all versions of NousResearch hermes-agent up to and including 0.12.0. Systems running these versions are susceptible to the injection vulnerability.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity. No EPSS information is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a moderate likelihood of widespread exploitation. However, a publicly available exploit exists, and the attack vector is remote, meaning attackers can trigger the vulnerability without local access.

Generated by OpenCVE AI on June 1, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify and isolate all installations of hermes-agent 0.12.0 or earlier.
  • Block external network access to the hermes-agent service through firewall rules or network segmentation to prevent remote exploitation.
  • Monitor run_agent.py logs for anomalous activity and investigate any suspicious events.
  • Consider disabling or removing hermes-agent if it is not essential until a vendor fix can be applied.

Generated by OpenCVE AI on June 1, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in NousResearch hermes-agent up to 0.12.0. Affected by this vulnerability is the function _compress_context of the file run_agent.py. The manipulation leads to injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title NousResearch hermes-agent run_agent.py _compress_context injection
First Time appeared Nousresearch
Nousresearch hermes-agent
Weaknesses CWE-707
CWE-74
CPEs cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Vendors & Products Nousresearch
Nousresearch hermes-agent
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nousresearch Hermes-agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T03:45:08.230Z

Reserved: 2026-05-31T07:51:23.739Z

Link: CVE-2026-10221

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T04:16:21.550

Modified: 2026-06-01T04:16:21.550

Link: CVE-2026-10221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T06:30:22Z

Weaknesses