CVE-2026-10222 Overview
CVE-2026-10222 is an injection vulnerability [CWE-74] in NousResearch hermes-agent versions up to 2026.4.30. The flaw resides in the _sanitize_env_lines function within hermes_cli/config.py. An attacker can manipulate input passed to this function to inject unintended content into the environment configuration. The vulnerability is exploitable remotely without authentication, though successful exploitation requires high attack complexity. A public proof-of-concept exists, and the vendor did not respond to disclosure attempts.
Critical Impact
Remote attackers can inject malicious content through the environment line sanitization routine, potentially altering runtime configuration of the hermes-agent. Public exploit code is available.
Affected Products
- NousResearch hermes-agent versions up to and including 2026.4.30
- Component: hermes_cli/config.py
- Affected function: _sanitize_env_lines
Discovery Timeline
- 2026-06-01 - CVE CVE-2026-10222 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10222
Vulnerability Analysis
The vulnerability stems from improper neutralization of special elements in the _sanitize_env_lines function of hermes_cli/config.py. This routine is responsible for processing environment variable lines, but it fails to fully sanitize attacker-controlled input. The flaw is classified under [CWE-74], which covers injection issues where input is not properly separated from control directives. Successful injection allows an attacker to influence how the hermes-agent interprets environment configuration during runtime. The attack vector is network-based, requires no privileges, and requires no user interaction, but exploitation is rated as high complexity. Public exploit code has been released through a GitHub Gist proof-of-concept.
Root Cause
The root cause is insufficient input validation and sanitization within the _sanitize_env_lines function. The function processes environment variable lines without enforcing strict separation between data and control characters. As a result, crafted input can introduce additional directives that the parser treats as legitimate configuration.
Attack Vector
An unauthenticated remote attacker can supply crafted environment line data that reaches the _sanitize_env_lines routine. The high complexity rating reflects that exploitation depends on specific environmental conditions or input shaping. Refer to the GitHub Gist PoC Script for technical details on the exploitation flow.
// No verified exploitation code is reproduced here.
// See the public PoC referenced above for technical details.
Detection Methods for CVE-2026-10222
Indicators of Compromise
- Unexpected entries or special characters in environment configuration consumed by hermes-agent
- Unusual process behavior or environment variable values originating from hermes-agent runtime
- Anomalous network requests targeting hermes-agent endpoints that accept configuration input
Detection Strategies
- Audit calls to _sanitize_env_lines in hermes_cli/config.py and inspect input sources for untrusted data
- Log and review all environment configuration changes applied by the hermes-agent CLI
- Compare hermes-agent runtime environment against a known-good baseline to surface injected values
Monitoring Recommendations
- Monitor process execution telemetry on hosts running hermes-agent for unexpected child processes or environment changes
- Capture and review CLI invocations of hermes-agent, particularly those supplying environment line input from network sources
- Track outbound connections from hermes-agent processes for deviations from expected behavior
How to Mitigate CVE-2026-10222
Immediate Actions Required
- Inventory all systems running NousResearch hermes-agent at version 2026.4.30 or earlier
- Restrict network exposure of hermes-agent interfaces that accept configuration input from untrusted sources
- Validate and sanitize any external input fed into hermes-agent environment configuration before invocation
Patch Information
At the time of publication, the vendor has not responded to the disclosure and no official patch reference is listed in the VulDB CVE-2026-10222 Details advisory. Operators should monitor the NousResearch hermes-agent repository for updates beyond version 2026.4.30 and apply fixes promptly when released.
Workarounds
- Run hermes-agent in an isolated environment with minimal privileges to limit the impact of injected configuration
- Apply a wrapper layer that pre-validates environment line input against a strict allowlist before passing it to hermes-agent
- Disable or restrict access to hermes-agent CLI surfaces exposed over the network until a fix is available
# Example: restrict hermes-agent to a dedicated low-privilege user and validate input
useradd -r -s /usr/sbin/nologin hermes
# Pre-validate environment lines before invoking hermes-agent
grep -E '^[A-Z_][A-Z0-9_]*=[A-Za-z0-9_./-]+$' input.env > sanitized.env || exit 1
sudo -u hermes hermes-agent --env-file sanitized.env
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

