CVE-2026-10220 Overview
CVE-2026-10220 is an injection vulnerability affecting NousResearch hermes-agent versions up to 2026.4.30. The flaw resides in the _serve_plugin_skill/skill_view function within tools/skills_tool.py. Remote attackers can exploit this weakness without authentication or user interaction. A public proof-of-concept exploit has been disclosed, increasing the risk of opportunistic abuse. The vendor was contacted prior to public disclosure but did not respond, leaving affected deployments without an official remediation path. The weakness is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Remote, unauthenticated attackers can inject arbitrary content into the _serve_plugin_skill/skill_view handler, potentially affecting confidentiality, integrity, and availability of the hermes-agent service.
Affected Products
- NousResearch hermes-agent versions up to and including 2026.4.30
- Component: tools/skills_tool.py
- Function: _serve_plugin_skill/skill_view
Discovery Timeline
- 2026-06-01 - CVE CVE-2026-10220 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10220
Vulnerability Analysis
The vulnerability stems from improper neutralization of input passed to the _serve_plugin_skill/skill_view function in tools/skills_tool.py. This function processes skill plugin requests in hermes-agent and forwards data to a downstream component without adequate sanitization. Attackers can manipulate request parameters to inject crafted payloads that the downstream component interprets as control data rather than untrusted input. The flaw is remotely reachable over the network and requires no authentication or user interaction, making it suitable for automated exploitation. According to the EPSS forecast published on 2026-06-04, the probability of exploitation in the next 30 days sits at the lower end of the distribution, but a public proof-of-concept lowers the barrier to entry.
Root Cause
The root cause is the absence of input neutralization in the skill view handler. The function consumes attacker-controlled data and passes it to a downstream interpreter without escaping, encoding, or validating the structural characters that the interpreter treats as syntax. This matches the pattern described by [CWE-74].
Attack Vector
The attack is performed over the network against an exposed hermes-agent instance. An attacker sends a crafted HTTP request to the plugin skill endpoint handled by _serve_plugin_skill/skill_view. Because authentication is not required, any network-reachable instance is exposed. Technical details of the exploitation flow are available in the public proof-of-concept hosted as a GitHub PoC Script and the VulDB CVE-2026-10220 entry.
No verified exploitation code is reproduced here. Refer to the linked advisories for technical specifics on the injection payload structure.
Detection Methods for CVE-2026-10220
Indicators of Compromise
- Unexpected HTTP requests targeting the hermes-agent plugin skill endpoint bound to _serve_plugin_skill/skill_view.
- Request parameters containing meta-characters, separators, or control sequences associated with downstream interpreters.
- Anomalous child processes or outbound network connections spawned by the hermes-agent runtime after skill view requests.
Detection Strategies
- Inspect application logs for requests to the skill_view route containing unusual payloads or encoded control characters.
- Apply web application firewall rules that flag injection-style metacharacters reaching the hermes-agent plugin endpoints.
- Correlate skill plugin requests with unexpected file system or process activity originating from the agent.
Monitoring Recommendations
- Enable verbose request logging on the hermes-agent service and forward logs to a centralized analytics platform for retention and search.
- Alert on first-seen client IP addresses interacting with plugin skill endpoints in production environments.
- Baseline normal request parameter shapes for _serve_plugin_skill and trigger alerts on statistical outliers.
How to Mitigate CVE-2026-10220
Immediate Actions Required
- Restrict network access to hermes-agent instances using firewall rules or reverse proxies that enforce authentication in front of the service.
- Remove or disable the _serve_plugin_skill/skill_view route if plugin skills are not required in your deployment.
- Audit existing hermes-agent instances for prior exploitation by reviewing logs for suspicious skill view requests.
Patch Information
No vendor patch is available at the time of publication. The vendor was contacted before public disclosure but did not respond. Operators should monitor the NousResearch hermes-agent repository and the VulDB #367499 advisory for future fix releases.
Workarounds
- Place hermes-agent behind an authenticating reverse proxy that rejects unauthenticated requests to plugin routes.
- Deploy input validation at the proxy layer to strip or reject metacharacters in parameters destined for skill_view.
- Run hermes-agent under a least-privilege service account and within an isolated container to limit the blast radius of successful injection.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

