Skip to content
Threat Feed
high advisory

NousResearch hermes-agent Sandbox Vulnerability (CVE-2026-9368)

A vulnerability in NousResearch hermes-agent up to version 2026.4.16 allows for remote exploitation of the execute_code function, leading to a sandbox escape.

A remote code execution vulnerability, identified as CVE-2026-9368, exists in NousResearch hermes-agent versions up to 2026.4.16. The vulnerability resides within the execute_code function of the tools/code_execution_tool.py file, specifically affecting the Environment Variable Handler component. A publicly available exploit allows for remote attackers to bypass the intended sandbox restrictions. The vendor, NousResearch, was contacted but did not respond to the disclosure. This vulnerability poses a significant risk as it allows attackers to execute arbitrary code outside of the intended hermes-agent sandbox.

Attack Chain

  1. Attacker identifies a vulnerable hermes-agent instance running a version up to 2026.4.16.
  2. The attacker crafts a malicious request targeting the execute_code function in tools/code_execution_tool.py.
  3. The request exploits the vulnerability in the Environment Variable Handler component.
  4. The vulnerability allows the attacker to manipulate environment variables in a way that bypasses sandbox restrictions.
  5. The attacker injects arbitrary code into the environment, leveraging the compromised environment variables.
  6. The execute_code function executes the injected code, now running outside the intended sandbox.
  7. The attacker gains unauthorized access to the underlying system.

Impact

Successful exploitation of CVE-2026-9368 allows a remote attacker to bypass the sandbox restrictions of hermes-agent, leading to arbitrary code execution on the host system. This can result in complete system compromise, data theft, or denial of service. The vulnerability is remotely exploitable and has a publicly available exploit, increasing the likelihood of exploitation.

Recommendation

  • Monitor network traffic for requests targeting the execute_code function in tools/code_execution_tool.py to detect potential exploitation attempts using the Sigma rule provided.
  • Implement input validation and sanitization for environment variables to mitigate the vulnerability in the Environment Variable Handler component.
  • Apply network segmentation to limit the impact of a successful sandbox escape.
  • Monitor process creation events for suspicious processes spawned by the hermes-agent process to detect potential post-exploitation activity using the Sigma rule provided.

Detection coverage 2

Detect CVE-2026-9368 Exploitation Attempt - execute_code Request

high

Detects CVE-2026-9368 exploitation attempts by monitoring for requests targeting the execute_code function.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect Suspicious Child Process of hermes-agent

medium

Detects suspicious child processes spawned by hermes-agent, potentially indicating post-exploitation activity after CVE-2026-9368 exploitation.

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →