Hermes-Agent (<= 0.12.0) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/hermes-agent--0.12.0/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 01 Jun 2026 04:18:07 +0000NousResearch hermes-agent <= 0.12.0 Code Injection Vulnerability (CVE-2026-10221)https://feed.craftedsignal.io/briefs/2026-06-cve-2026-10221-hermes-agent-injection/Mon, 01 Jun 2026 04:18:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-cve-2026-10221-hermes-agent-injection/NousResearch hermes-agent up to version 0.12.0 is vulnerable to code injection in the _compress_context function of the run_agent.py file, allowing remote exploitation.A code injection vulnerability, tracked as CVE-2026-10221, affects NousResearch hermes-agent versions up to 0.12.0. The vulnerability resides within the _compress_context function of the run_agent.py file, allowing for potential code injection through manipulation of input. Remote exploitation is possible, and a public exploit is reportedly available. The vendor was notified but has not responded. This vulnerability allows an attacker to execute arbitrary code on systems running a vulnerable version of hermes-agent.

Attack Chain

  1. Attacker identifies a vulnerable instance of NousResearch hermes-agent running version 0.12.0 or earlier.
  2. Attacker crafts a malicious input string designed to exploit the code injection vulnerability in the _compress_context function within run_agent.py.
  3. The attacker sends the malicious input to the vulnerable function, likely through a network request, triggering the injection point.
  4. The _compress_context function processes the attacker-controlled input without proper sanitization or validation.
  5. The malicious input is interpreted as code and executed by the hermes-agent application, potentially granting the attacker control over the system.
  6. Attacker leverages the injected code to establish persistence on the compromised system, allowing for continued access.
  7. Attacker pivots to other internal systems and attempts to access or exfiltrate sensitive data.

Impact

Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. This could allow an attacker to gain complete control over the hermes-agent instance, potentially leading to data theft, system compromise, or further lateral movement within the network. Due to the nature of the software, this is especially dangerous in AI/ML environments.

Recommendation

  • Apply appropriate input validation and sanitization to the _compress_context function in run_agent.py (reference CVE-2026-10221).
  • Deploy the Sigma rule Detect CVE-2026-10221 Exploitation Attempt via run_agent.py to your SIEM and tune for your environment to detect exploitation attempts targeting the vulnerable function.
  • Monitor network traffic for suspicious activity targeting NousResearch hermes-agent, especially related to calls to the _compress_context function.
]]>highadvisoryinjectioncode injectioncve-2026-10221