Hermes-Agent (<= 2026.4.23) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/hermes-agent--2026.4.23/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 26 May 2026 13:44:43 +0000NousResearch hermes-agent Remote Code Injection Vulnerability (CVE-2026-9353)https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9353/Tue, 26 May 2026 13:44:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-9353/A remote code injection vulnerability (CVE-2026-9353) exists in NousResearch hermes-agent up to version 2026.4.23, allowing attackers to inject malicious code by manipulating the THREAT_PATTERNS argument in the Skills Guard Multi-Word Prompt Handler component.A security vulnerability, CVE-2026-9353, has been identified in NousResearch hermes-agent, affecting versions up to 2026.4.23. The vulnerability resides in the agent/skills_guard.py file within the Skills Guard Multi-Word Prompt Handler component. By manipulating the THREAT_PATTERNS argument, a remote attacker can inject arbitrary code. Public disclosure of the exploit is available, increasing the risk of exploitation. The vendor was contacted regarding the vulnerability, but no response was received. This vulnerability allows for unauthenticated remote code execution, potentially leading to complete system compromise.

Attack Chain

  1. An attacker identifies a vulnerable NousResearch hermes-agent instance running a version prior to 2026.4.23.
  2. The attacker crafts a malicious payload designed to exploit the code injection vulnerability in the THREAT_PATTERNS argument.
  3. The attacker sends a specially crafted request to the hermes-agent server, embedding the malicious payload within the THREAT_PATTERNS argument targeting the Skills Guard Multi-Word Prompt Handler.
  4. The hermes-agent server processes the request, failing to properly sanitize or validate the THREAT_PATTERNS input.
  5. Due to insufficient input validation, the malicious payload is injected and executed by the server.
  6. The injected code allows the attacker to execute arbitrary commands on the server, potentially gaining shell access.
  7. The attacker leverages the compromised server to perform further actions, such as data exfiltration or lateral movement within the network.
  8. The attacker achieves complete system compromise and gains persistent access to the target environment.

Impact

Successful exploitation of CVE-2026-9353 can lead to remote code execution on the affected NousResearch hermes-agent server. This could allow an attacker to gain complete control over the system, potentially leading to data breaches, service disruption, or further attacks on the internal network. Given the public availability of the exploit, the likelihood of exploitation is increased, posing a significant risk to organizations using vulnerable versions of hermes-agent.

Recommendation

  • Upgrade NousResearch hermes-agent to a version later than 2026.4.23 to remediate CVE-2026-9353.
  • Deploy the Sigma rule “Detect CVE-2026-9353 Exploitation Attempt via Malicious THREAT_PATTERNS Argument” to detect potential exploitation attempts by monitoring HTTP requests for suspicious patterns.
  • Implement input validation and sanitization measures on all user-supplied inputs to prevent code injection vulnerabilities.
  • Monitor network traffic for unusual activity originating from the hermes-agent server.
]]>highadvisorycvecode injectionremote code executionweb application