Description
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.23. This affects the function _sync_anthropic_entry_from_credentials_file of the file agent/credential_pool.py of the component Credential Pool Synchronization. The manipulation results in improper authentication. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-02
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the _sync_anthropic_entry_from_credentials_file function of credential_pool.py in NousResearch hermes-agent. Manipulating credentials results in improper authentication. The description does not explicitly state whether this permits bypassing access controls, so the extent of unauthorized actions is inferred but not confirmed.

Affected Systems

NousResearch hermes-agent, versions up to 2026.4.23. The flaw affects any deployment of the component responsible for credential pool synchronization.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Because it requires local privilege, the attack is limited to systems where the attacker has local access, but the publicly released exploit makes it a known risk for any environment hosting the affected agent.

Generated by OpenCVE AI on June 2, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch when it becomes available.
  • Set restrictive permissions on the credentials file to prevent local modification by untrusted users.
  • Configure the system to audit and log any attempts to access or modify the credentials file and review logs regularly.

Generated by OpenCVE AI on June 2, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.23. This affects the function _sync_anthropic_entry_from_credentials_file of the file agent/credential_pool.py of the component Credential Pool Synchronization. The manipulation results in improper authentication. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title NousResearch hermes-agent Credential Pool Synchronization credential_pool.py _sync_anthropic_entry_from_credentials_file improper authentication
First Time appeared Nousresearch
Nousresearch hermes-agent
Weaknesses CWE-287
CPEs cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Vendors & Products Nousresearch
Nousresearch hermes-agent
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nousresearch Hermes-agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T00:30:09.704Z

Reserved: 2026-06-01T13:28:23.195Z

Link: CVE-2026-10548

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-02T02:16:15.233

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:00:13Z

Weaknesses