Description
A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the _make_run_env function of the local.py module within the Messaging Gateway Handler of NousResearch hermes-agent. By feeding crafted input to this function, an attacker can cause sensitive data to be leaked. The exposed data may include host configuration, credentials or other confidential material, raising the risk of data compromise. The weakness is classified as Information Exposure (CWE-200) and an improper authorization issue (CWE-284).

Affected Systems

All releases of NousResearch hermes-agent up to version 2026.4.23 are affected. Users of any earlier release within this range are potentially vulnerable unless they have applied a later fix.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity impact. EPSS is not available, so the likelihood of exploitation remains uncertain, and the vulnerability is not listed in the CISA KEV catalog. The advisory states that the flaw can be exploited remotely; the likely attack vector is via a network-facing interface or management console that invokes the Messaging Gateway Handler. Since an exploit has already been released publicly, the risk to exposed systems is high. The vendor has not responded, implying that a patch may not yet be available.

Generated by OpenCVE AI on May 24, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch from NousResearch as soon as it becomes available.
  • Restrict network access to the Messaging Gateway Handler by limiting connections to trusted hosts or internal networks.
  • Enforce strict authentication and authorization for any operation that calls the _make_run_env function, and monitor the gateway for anomalous activity.

Generated by OpenCVE AI on May 24, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title NousResearch hermes-agent Messaging Gateway local.py _make_run_env information disclosure
First Time appeared Nousresearch
Nousresearch hermes-agent
Weaknesses CWE-200
CWE-284
CPEs cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Vendors & Products Nousresearch
Nousresearch hermes-agent
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nousresearch Hermes-agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T03:30:11.060Z

Reserved: 2026-05-23T09:19:35.674Z

Link: CVE-2026-9352

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T07:30:15Z

Weaknesses