CVE-2026-10221 Overview
CVE-2026-10221 is an injection vulnerability [CWE-74] affecting NousResearch hermes-agent versions up to 0.12.0. The flaw resides in the _compress_context function within run_agent.py. Attackers can manipulate input to this function to trigger injection conditions remotely without authentication or user interaction. A proof-of-concept exploit is publicly available on GitHub Gist. The vendor was contacted prior to public disclosure but did not respond. The vulnerability impacts confidentiality, integrity, and availability at a limited scope.
Critical Impact
Remote attackers can inject crafted content into the agent's context compression routine, leading to limited compromise of confidentiality, integrity, and availability without requiring authentication or user interaction.
Affected Products
- NousResearch hermes-agent versions up to and including 0.12.0
- Affected component: run_agent.py
- Affected function: _compress_context
Discovery Timeline
- 2026-06-01 - CVE-2026-10221 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-10221
Vulnerability Analysis
The vulnerability is classified under [CWE-74] as an improper neutralization of special elements in output used by a downstream component. The defect exists in the _compress_context function of run_agent.py, which is responsible for reducing the size of agent context windows during operation. The function fails to properly sanitize or neutralize content before passing it to a downstream interpreter or processing routine. This category of injection flaw is common in large language model (LLM) agent frameworks where user-controllable strings are forwarded into prompts, tool invocations, or evaluation contexts. An attacker can craft malicious content that the compression routine processes verbatim, altering downstream behavior of the agent.
Root Cause
The root cause is missing input neutralization within _compress_context. The function accepts contextual data and reformats it without enforcing boundaries between trusted instructions and untrusted input. Because hermes-agent is an autonomous agent framework, content passing through context compression can influence subsequent model decisions and tool execution.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. Attackers supply crafted input that reaches the _compress_context function during normal agent operation. A public proof-of-concept demonstrating the injection is hosted on GitHub Gist PoC Code. Additional analysis is available through VulDB Vulnerability Details.
No verified exploit code is reproduced here. Refer to the linked references for the full technical proof-of-concept and reproduction steps.
Detection Methods for CVE-2026-10221
Indicators of Compromise
- Unexpected modifications to agent behavior or tool invocations following ingestion of external content
- Anomalous strings or control sequences appearing in compressed context logs produced by run_agent.py
- Outbound network connections initiated by the agent to destinations not present in the original task definition
Detection Strategies
- Inspect inputs reaching _compress_context for sequences that resemble prompt boundaries, role markers, or tool-invocation syntax
- Compare pre-compression and post-compression context to identify content that escapes intended boundaries
- Audit agent execution traces for tool calls that do not align with the user-issued task
Monitoring Recommendations
- Log all inputs and outputs of the _compress_context function with integrity-protected storage
- Alert on agent runs that produce tool invocations outside an approved allowlist
- Monitor process and network telemetry from hosts running hermes-agent for deviations from baseline behavior
How to Mitigate CVE-2026-10221
Immediate Actions Required
- Inventory all deployments of NousResearch hermes-agent at version 0.12.0 or earlier and restrict their exposure to untrusted input sources
- Place agent deployments behind input filtering that strips or escapes content resembling prompt or tool-call delimiters before it reaches _compress_context
- Limit the privileges and tool surface available to the agent process to reduce the impact of successful injection
Patch Information
At the time of publication, the vendor has not responded to disclosure and no fixed version has been announced. Monitor the NousResearch hermes-agent repository for updates beyond version 0.12.0 and review the VulDB CVE-2026-10221 entry for status changes.
Workarounds
- Run hermes-agent in an isolated environment with no access to sensitive data or production credentials
- Apply a wrapper around _compress_context that validates input length and rejects content containing instruction-like markers
- Disable or proxy network egress from the agent host to prevent injected instructions from contacting attacker-controlled infrastructure
# Example: restrict the agent process to a non-privileged user and isolated network namespace
sudo useradd -r -s /usr/sbin/nologin hermesagent
sudo -u hermesagent ip netns exec hermes-isolated python run_agent.py
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

