Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10223

CVE-2026-10223: NousResearch hermes-agent RCE Vulnerability

CVE-2026-10223 is a remote code execution vulnerability in NousResearch hermes-agent affecting the _scan_memory_content function. This flaw allows remote attackers to execute arbitrary code through injection attacks.

Published:

CVE-2026-10223 Overview

CVE-2026-10223 is an injection vulnerability affecting NousResearch hermes-agent versions up to 2026.4.30. The flaw resides in the _scan_memory_content function within tools/memory_tool.py. Attackers can exploit this weakness remotely with low privileges to manipulate memory content scanning logic. A public proof-of-concept exploit has been published on GitHub Gist, increasing the risk of opportunistic abuse. The vendor was contacted prior to disclosure but did not respond. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Remote attackers with low privileges can inject malicious content into the memory scanning routine of hermes-agent, affecting confidentiality, integrity, and availability of the agent component.

Affected Products

  • NousResearch hermes-agent versions up to and including 2026.4.30
  • Component: tools/memory_tool.py
  • Affected function: _scan_memory_content

Discovery Timeline

  • 2026-06-01 - CVE-2026-10223 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10223

Vulnerability Analysis

The vulnerability exists in the _scan_memory_content function of tools/memory_tool.py in the hermes-agent project. This function processes memory content without adequately neutralizing special elements before passing data to a downstream component. The flaw is categorized as an injection issue under [CWE-74]. Because hermes-agent is an AI agent framework that handles memory and tool invocations, injected content can influence agent behavior. The attack is reachable over the network and requires only low-level authentication. Public exploit code is available, which lowers the barrier for exploitation.

Root Cause

The root cause is improper neutralization of input handled by _scan_memory_content. The function does not sanitize or validate special elements within memory content before forwarding the data to downstream processing logic. This allows attacker-controlled tokens or directives to be interpreted by the consuming component rather than treated as inert data. The result is a classic injection condition where data crosses a trust boundary without sanitization.

Attack Vector

An authenticated remote attacker with low privileges sends crafted content that the agent ingests into memory. When _scan_memory_content processes this content, the embedded injection payload is passed downstream and acted upon. Because the agent operates on stored memory, the payload may persist across sessions and influence subsequent agent reasoning or tool calls. A public proof-of-concept is hosted on GitHub Gist. Refer to the VulDB CVE Report for additional technical context.

No verified code samples are available for inclusion. The vulnerability mechanism is described in prose above; consult the linked references for exploitation details.

Detection Methods for CVE-2026-10223

Indicators of Compromise

  • Unexpected directives, control characters, or markup embedded in hermes-agent memory store entries.
  • Anomalous tool invocations or agent responses that diverge from expected workflow patterns.
  • Network requests to the hermes-agent endpoint containing crafted payloads targeting memory ingestion paths.

Detection Strategies

  • Inspect inputs reaching _scan_memory_content in tools/memory_tool.py for unsanitized special elements or embedded instructions.
  • Log and review all memory write operations performed by authenticated users, correlating against expected agent behavior.
  • Implement content validation rules that flag memory entries containing injection markers or unexpected formatting.

Monitoring Recommendations

  • Enable verbose logging on hermes-agent memory operations and forward logs to a centralized analytics platform.
  • Monitor for behavioral drift in agent decision-making following memory writes from low-privilege accounts.
  • Track outbound actions triggered by the agent and alert on deviations from baseline tool usage patterns.

How to Mitigate CVE-2026-10223

Immediate Actions Required

  • Restrict network access to hermes-agent instances to trusted clients only until a vendor patch is available.
  • Review and tighten authentication and authorization on accounts permitted to write to agent memory.
  • Audit existing memory store entries for suspicious content that may indicate prior exploitation attempts.

Patch Information

No vendor patch has been published at the time of disclosure. The vendor was contacted prior to publication but did not respond. Monitor the NousResearch hermes-agent project sources and the VulDB Vulnerability #367502 record for patch updates.

Workarounds

  • Implement an input filtering layer in front of _scan_memory_content to neutralize special elements before they reach the function.
  • Disable or gate the memory ingestion feature for untrusted users until a fix is released.
  • Apply allow-listing on content stored in agent memory to reject payloads containing injection markers.
bash
# Example: restrict hermes-agent network exposure at the host firewall
sudo iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.