{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hermes-agent--2026.4.16/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9368"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["hermes-agent (\u003c= 2026.4.16)"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","remote-code-execution","cve"],"_cs_type":"advisory","_cs_vendors":["NousResearch"],"content_html":"\u003cp\u003eA remote code execution vulnerability, identified as CVE-2026-9368, exists in NousResearch hermes-agent versions up to 2026.4.16. The vulnerability resides within the \u003ccode\u003eexecute_code\u003c/code\u003e function of the \u003ccode\u003etools/code_execution_tool.py\u003c/code\u003e file, specifically affecting the Environment Variable Handler component. A publicly available exploit allows for remote attackers to bypass the intended sandbox restrictions. The vendor, NousResearch, was contacted but did not respond to the disclosure. This vulnerability poses a significant risk as it allows attackers to execute arbitrary code outside of the intended hermes-agent sandbox.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable hermes-agent instance running a version up to 2026.4.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eexecute_code\u003c/code\u003e function in \u003ccode\u003etools/code_execution_tool.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request exploits the vulnerability in the Environment Variable Handler component.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to manipulate environment variables in a way that bypasses sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary code into the environment, leveraging the compromised environment variables.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecute_code\u003c/code\u003e function executes the injected code, now running outside the intended sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9368 allows a remote attacker to bypass the sandbox restrictions of hermes-agent, leading to arbitrary code execution on the host system. This can result in complete system compromise, data theft, or denial of service. The vulnerability is remotely exploitable and has a publicly available exploit, increasing the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for requests targeting the \u003ccode\u003eexecute_code\u003c/code\u003e function in \u003ccode\u003etools/code_execution_tool.py\u003c/code\u003e to detect potential exploitation attempts using the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for environment variables to mitigate the vulnerability in the Environment Variable Handler component.\u003c/li\u003e\n\u003cli\u003eApply network segmentation to limit the impact of a successful sandbox escape.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes spawned by the hermes-agent process to detect potential post-exploitation activity using the Sigma rule provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:46:59Z","date_published":"2026-05-26T13:46:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9368/","summary":"A vulnerability in NousResearch hermes-agent up to version 2026.4.16 allows for remote exploitation of the execute_code function, leading to a sandbox escape.","title":"NousResearch hermes-agent Sandbox Vulnerability (CVE-2026-9368)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9368/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9350"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["hermes-agent (\u003c= 2026.4.16)"],"_cs_severities":["high"],"_cs_tags":["cve","authorization","hermes-agent"],"_cs_type":"advisory","_cs_vendors":["NousResearch"],"content_html":"\u003cp\u003eA missing authorization vulnerability, identified as CVE-2026-9350, affects NousResearch hermes-agent up to version 2026.4.16. The flaw resides within the \u003ccode\u003echeck_all_command_guards\u003c/code\u003e function in the \u003ccode\u003etools/approval.py\u003c/code\u003e file, a part of the Batch Runner component. Successful exploitation of this vulnerability allows remote attackers to bypass authorization checks, potentially leading to unauthorized command execution or data access. Publicly available exploit code exists, increasing the risk of exploitation. The vendor was notified but has not responded. This vulnerability was published on 2026-05-24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable hermes-agent instance running a version prior to 2026.4.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the Batch Runner component.\u003c/li\u003e\n\u003cli\u003eThe request is designed to invoke functionality that relies on the \u003ccode\u003echeck_all_command_guards\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check, the attacker bypasses the intended access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker executes unauthorized commands or accesses restricted data within the Batch Runner component.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access to escalate privileges or gain further control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker may install malware, exfiltrate sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9350 can lead to unauthorized access to sensitive data, execution of arbitrary commands, and potential system compromise. This can result in data breaches, service disruption, and reputational damage. The fact that the exploit is publicly available increases the likelihood of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NousResearch hermes-agent to a version later than 2026.4.16 to remediate CVE-2026-9350.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious requests targeting the Batch Runner component of hermes-agent using the \u0026ldquo;Detect Suspicious Hermes-Agent Batch Runner Requests\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Unauthorized Command Execution via Hermes-Agent\u0026rdquo; Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:44:22Z","date_published":"2026-05-26T13:44:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9350-hermes-agent-auth-bypass/","summary":"A missing authorization vulnerability (CVE-2026-9350) exists in NousResearch hermes-agent up to version 2026.4.16, affecting the `check_all_command_guards` function in `tools/approval.py` of the Batch Runner component, enabling remote attackers to bypass authorization checks.","title":"NousResearch hermes-agent Missing Authorization Vulnerability (CVE-2026-9350)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9350-hermes-agent-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Hermes-Agent (\u003c= 2026.4.16)","version":"https://jsonfeed.org/version/1.1"}