CVE-2026-10548 Overview
CVE-2026-10548 is an improper authentication vulnerability [CWE-287] affecting NousResearch hermes-agent versions up to and including 2026.4.23. The flaw resides in the _sync_anthropic_entry_from_credentials_file function within agent/credential_pool.py, part of the Credential Pool Synchronization component. An attacker with local access and low privileges can manipulate the credential synchronization logic to bypass authentication controls. A proof-of-concept exploit has been published publicly. The vendor was contacted before disclosure but did not respond.
Critical Impact
Local attackers can abuse improper authentication in the credential pool to gain unauthorized access to credentials handled by hermes-agent.
Affected Products
- NousResearch hermes-agent versions up to 2026.4.23
- Component: Credential Pool Synchronization (agent/credential_pool.py)
- Function: _sync_anthropic_entry_from_credentials_file
Discovery Timeline
- 2026-06-02 - CVE-2026-10548 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-10548
Vulnerability Analysis
The vulnerability stems from improper authentication handling [CWE-287] in the credential pool synchronization routine of hermes-agent. The _sync_anthropic_entry_from_credentials_file function in agent/credential_pool.py reads credentials from a local file and synchronizes them into the agent's credential pool without enforcing sufficient authentication checks. A local attacker who can influence the credentials file or invoke the synchronization path can leverage this weakness to introduce or access credential entries they should not control.
Exploitation requires local access and low privileges. The attack does not require user interaction. According to the published EPSS data (0.021%, 5.93 percentile), large-scale opportunistic exploitation probability is low, but a public proof-of-concept is available, raising the risk for targeted abuse against deployments running affected versions.
Root Cause
The root cause is missing or insufficient authentication enforcement when synchronizing Anthropic credential entries from a local credentials file into the in-memory credential pool. Trust is implicitly granted to the on-disk credential source without validating the caller or the integrity of the entry being imported.
Attack Vector
The attack vector is local. An attacker with an authenticated low-privilege session on the host running hermes-agent triggers the vulnerable synchronization path. Successful exploitation results in unauthorized authentication state changes within the credential pool, affecting confidentiality, integrity, and availability of credential material managed by the agent.
A public proof-of-concept is referenced in the GitHub Gist PoC and tracked in VulDB CVE-2026-10548. No verified exploit code is reproduced here.
Detection Methods for CVE-2026-10548
Indicators of Compromise
- Unexpected modifications to the local Anthropic credentials file consumed by hermes-agent.
- New or altered credential entries appearing in the agent's credential pool without a corresponding administrative action.
- Local process activity invoking _sync_anthropic_entry_from_credentials_file outside normal startup or refresh windows.
Detection Strategies
- Monitor file integrity on the credentials file referenced by agent/credential_pool.py and alert on writes by non-administrative users.
- Audit process execution and command-line activity from accounts that interact with the hermes-agent runtime directory.
- Correlate local user session activity with credential pool synchronization events in application logs.
Monitoring Recommendations
- Enable verbose logging within hermes-agent for credential pool synchronization events, including caller identity and source file path.
- Forward host telemetry, file integrity events, and application logs to a centralized analytics platform for correlation.
- Establish a baseline for legitimate credential refresh frequency and alert on deviations.
How to Mitigate CVE-2026-10548
Immediate Actions Required
- Restrict local access to systems running hermes-agent to trusted administrators only.
- Apply strict filesystem permissions to the Anthropic credentials file so it is readable and writable only by the service account.
- Review existing credential pool entries for unauthorized additions or modifications and rotate any potentially exposed Anthropic API keys.
Patch Information
At the time of publication, no vendor patch or fixed release has been published for hermes-agent. The vendor did not respond to disclosure attempts. Track the VulDB Vulnerability #367645 entry and the project's repository for any future fix release.
Workarounds
- Run hermes-agent under a dedicated, isolated service account with minimal local privileges.
- Store the credentials file on a restricted path with mandatory access control enforced (for example, chmod 600 and ownership limited to the service account).
- Disable or remove the credential pool synchronization path if it is not required for the deployment.
- Consider containerizing or sandboxing the agent to limit which local users can reach the vulnerable function.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

