CVE-2026-9368 - Vulnerability Details

Description

A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the function execute_code of the file tools/code_execution_tool.py of the component Environment Variable Handler. Such manipulation leads to sandbox issue. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-24

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the execute_code function of the Environment Variable Handler permits attackers to inject crafted environment variables that break the hermes-agent sandbox, enabling arbitrary command execution. The flaw is classified as CWE-264 and CWE-265. An attacker can run arbitrary code within the hermes-agent process, potentially compromising confidentiality, integrity, and availability.

Affected Systems

All releases of NousResearch hermes-agent up to and including version 2026.4.16 are vulnerable. No fixed build is currently available, and the vendor has not issued a public response.

Risk and Exploitability

The CVSS score of 6.9 marks the vulnerability as moderate, yet the description indicates an available public exploit, suggesting a realistic threat. EPSS data is missing, but the existence of an exploit increases the likelihood of real-world attacks. The attack vector is remote, via manipulation of environment variables that influence hermes-agent’s execution context. The lack of a KEV listing does not diminish its practical risk; administrators should treat it as a high-priority issue per the available evidence.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NousResearch

hermes-agent

affected

Version	Status	Constraints
`2026.4.0`	affected	—
`2026.4.1`	affected	—
`2026.4.2`	affected	—
`2026.4.3`	affected	—
`2026.4.4`	affected	—
`2026.4.5`	affected	—
`2026.4.6`	affected	—
`2026.4.7`	affected	—
`2026.4.8`	affected	—
`2026.4.9`	affected	—
`2026.4.10`	affected	—
`2026.4.11`	affected	—
`2026.4.12`	affected	—
`2026.4.13`	affected	—
`2026.4.14`	affected	—
`2026.4.15`	affected	—
`2026.4.16`	affected	—

No data.

Vendor Product Confidence Versions

Nousresearch

Hermes-agent

95%

Version	Status	Scheme	Platform
`2026.4.0`	affected	semver	—
`2026.4.1`	affected	semver	—
`2026.4.2`	affected	semver	—
`2026.4.3`	affected	semver	—
`2026.4.4`	affected	semver	—
`2026.4.5`	affected	semver	—
`2026.4.6`	affected	semver	—
`2026.4.7`	affected	semver	—
`2026.4.8`	affected	semver	—
`2026.4.9`	affected	semver	—
`2026.4.10`	affected	semver	—
`2026.4.11`	affected	semver	—
`2026.4.12`	affected	semver	—
`2026.4.13`	affected	semver	—
`2026.4.14`	affected	semver	—
`2026.4.15`	affected	semver	—
`2026.4.16`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and deploy any official update or patch from NousResearch that resolves the execute_code vulnerability, or apply a vendor‑supplied workaround if one becomes available.
Limit hermes-agent to run with the lowest privilege set required, and enforce strict validation or sanitization of all environment variables it consumes, ensuring that untrusted input cannot alter its execution behavior.
Deploy monitoring and logging to detect anomalous environment variable changes or unauthorized execution contexts, and consider isolating hermes-agent within a dedicated container or sandbox to contain potential compromise.

Generated by OpenCVE AI on May 24, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00069.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/43c72d19668421abe8ce10f299323a0a
https://vuldb.com/submit/812229
https://vuldb.com/vuln/365331
https://vuldb.com/vuln/365331/cti

History

Sun, 24 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the function execute_code of the file tools/code_execution_tool.py of the component Environment Variable Handler. Such manipulation leads to sandbox issue. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		NousResearch hermes-agent Environment Variable code_execution_tool.py execute_code sandbox
First Time appeared		Nousresearch Nousresearch hermes-agent
Weaknesses		CWE-264 CWE-265
CPEs		cpe:2.3:a:nousresearch:hermes-agent::::::::
Vendors & Products		Nousresearch Nousresearch hermes-agent
References		https://gist.github.com/YLChen-007/43c72d19668421abe8ce10f299323a0a https://vuldb.com/submit/812229 https://vuldb.com/vuln/365331 https://vuldb.com/vuln/365331/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Nousresearch Hermes-agent

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-24T08:45:09.083Z

Updated: 2026-05-24T08:45:09.083Z

Reserved: 2026-05-23T10:33:15.559Z

Link: CVE-2026-9368

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-24T11:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object