NousResearch's Hermes-Agent Hit by Two Remote Vulnerabilities

Developers relying on NousResearch's `hermes-agent` for their AI agent deployments should pay close attention. Two distinct, remotely exploitable vulnerabilities—CVE-2026-9351 and CVE-2026-9350—were disclosed on May 24, 2026, impacting versions of the framework up to 2026.4.16. These aren't minor bugs; they represent serious potential avenues for attackers to compromise systems using the agent.

The first, CVE-2026-9351, details a path traversal flaw within the `read_file` tool. Specifically, the `isblockeddevice` function in `tools/file_tools.py` can be manipulated. For an AI agent that might interact with a local file system, path traversal is a particularly nasty problem. It means an attacker could trick the agent into reading or even writing files outside of its intended, secure directory. Think configuration files, sensitive user data, or system logs – all potentially exposed if an attacker can craft the right input. Given that `hermes-agent` is designed to be a flexible framework for AI applications, granting it access to tools like `read_file` is fundamental. But that access, if not perfectly secured, becomes a liability.

Authorization Bypass in Batch Runner

The second vulnerability, CVE-2026-9350, targets the `Batch Runner` component, specifically the `checkallcommandguards` function in `tools/approval.py`. This one is about authorization, or rather, the lack thereof. A missing authorization flaw allows an attacker to bypass security checks and execute actions or commands they shouldn't have permission to. In the context of an AI agent, this could mean an attacker could force the agent to perform operations it wasn't authorized for by its legitimate user, or even by the system itself. Imagine an agent designed for specific, limited tasks suddenly being coerced into running arbitrary commands on the host machine. That's a significant control bypass, potentially leading to full system compromise.

Both vulnerabilities are classified as remotely exploitable, meaning an attacker doesn't need physical access to the server or even a privileged network position. They can launch these attacks over the internet. Adding to the urgency, the sources indicate that public exploits for both CVEs are already available. This drastically shortens the window for developers to patch their systems before they become targets. The rapid disclosure of exploits highlights the ongoing challenge in securing new software, especially frameworks that grant autonomous agents significant system access.

The Broader AI Agent Security Picture

These incidents with `hermes-agent` underscore a growing concern in the AI development space: the security of AI agents. As these agents become more sophisticated and gain more autonomy—interacting with file systems, external APIs, and executing commands—the attack surface expands dramatically. Developers are building complex systems, often quickly, and integrating various tools. Each integration point, each tool, and each function within those tools represents a potential weak link if not rigorously tested and secured. This isn't just about NousResearch; it's a systemic challenge for the entire AI agent ecosystem. We'll likely see more such disclosures as these frameworks mature and receive more scrutiny from security researchers.

Why it matters

For anyone using or developing with NousResearch's `hermes-agent` up to version 2026.4.16, immediate action is required. Update your deployments as soon as a patched version is available. Beyond immediate patching, these vulnerabilities serve as a stark reminder for the broader AI community: giving agents more capabilities also means shouldering a heavier burden of security. Ensuring robust input validation, strict authorization checks, and secure defaults aren't just good practices; they're essential safeguards as AI agents take on more critical roles in our computing environments. Ignoring these foundational security principles risks turning powerful AI tools into dangerous backdoors.