CVE-2026-7397 Overview
A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This vulnerability affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following, allowing attackers to bypass security restrictions intended to protect sensitive system paths. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks.
Critical Impact
Local attackers can exploit symlink following to write to protected system paths like /private/etc/ on macOS, bypassing the sensitive path check mechanism and potentially modifying critical system configuration files.
Affected Products
- NousResearch hermes-agent version 0.8.0
- hermes-agent installations prior to version 0.9.0
- Systems running macOS with hermes-agent file tools
Discovery Timeline
- 2026-04-29 - CVE-2026-7397 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7397
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as symlink following or symlink attack. The core issue lies in the _check_sensitive_path function within tools/file_tools.py, which fails to properly resolve symbolic links before checking whether a target path is in a protected directory.
On macOS systems, the /etc/ directory is actually a symbolic link to /private/etc/. The original implementation only checked for the /etc/ prefix, allowing an attacker to create a symbolic link that resolves to /private/etc/ or /private/var/ and bypass the path validation entirely. This enables unauthorized writes to critical system configuration files.
Root Cause
The vulnerability stems from an incomplete list of sensitive path prefixes in the _SENSITIVE_PATH_PREFIXES tuple. The original implementation did not account for macOS-specific path structures where critical system directories like /etc/ are symlinks to their canonical locations under /private/. The function _check_sensitive_path would resolve the symlink using os.path.realpath() but then only check against Linux-centric paths, missing the macOS equivalents.
Attack Vector
The attack requires local access to the system where hermes-agent is installed. An attacker with low privileges can exploit this by:
- Creating a symbolic link that points to a protected system path
- Using the hermes-agent file tools to write through the symlink
- The _check_sensitive_path function fails to recognize the resolved path as sensitive
- The write operation succeeds, modifying protected system files
# Paths that file tools should refuse to write to without going through the
# terminal tool's approval system. These match prefixes after os.path.realpath.
-_SENSITIVE_PATH_PREFIXES = ("/etc/", "/boot/", "/usr/lib/systemd/")
+_SENSITIVE_PATH_PREFIXES = (
+ "/etc/", "/boot/", "/usr/lib/systemd/",
+ "/private/etc/", "/private/var/",
+)
_SENSITIVE_EXACT_PATHS = {"/var/run/docker.sock", "/run/docker.sock"}
Source: GitHub Commit 311dac1
Detection Methods for CVE-2026-7397
Indicators of Compromise
- Unexpected modifications to files in /private/etc/ or /private/var/ on macOS systems
- Suspicious symbolic links created in user-accessible directories pointing to system paths
- Unusual file tool activity from hermes-agent processes targeting system configuration files
- Log entries showing file operations on protected paths that bypassed the approval system
Detection Strategies
- Monitor for symlink creation operations that target system directories like /private/etc/ or /private/var/
- Implement file integrity monitoring on critical macOS system configuration directories
- Audit hermes-agent file tool operations for attempts to access paths outside expected working directories
- Deploy endpoint detection rules to flag symbolic link traversal patterns
Monitoring Recommendations
- Enable SentinelOne's file monitoring capabilities for /private/etc/ and /private/var/ directories
- Configure alerts for any process creating symbolic links to sensitive system paths
- Review hermes-agent logs for file operations that resolve to protected system directories
- Establish baseline behavior for hermes-agent file tool usage to detect anomalous activity
How to Mitigate CVE-2026-7397
Immediate Actions Required
- Upgrade NousResearch hermes-agent to version 0.9.0 or later immediately
- Audit existing hermes-agent installations to identify version 0.8.0 deployments
- Review system files in /private/etc/ and /private/var/ for unauthorized modifications
- Temporarily restrict hermes-agent file tool permissions until the patch is applied
Patch Information
The vulnerability is addressed in the patch identified as commit 311dac197145e19e07df68feba2cd55d896a3cd1. The fix expands the _SENSITIVE_PATH_PREFIXES tuple to include macOS-specific paths /private/etc/ and /private/var/, ensuring that symlink resolution properly blocks writes to these protected directories. Upgrading to version 0.9.0 or applying the GitHub Release v2026.4.13 mitigates this issue. For more details, see GitHub Pull Request #8829 and GitHub Issue #8734.
Workarounds
- Manually patch the _SENSITIVE_PATH_PREFIXES tuple to include /private/etc/ and /private/var/ if immediate upgrade is not possible
- Restrict local access to systems running vulnerable hermes-agent versions
- Implement additional file system permissions to prevent the hermes-agent process from writing to system directories
- Use macOS sandboxing or container isolation to limit the file system scope of hermes-agent operations
# Configuration example
# Verify hermes-agent version and upgrade if necessary
pip show hermes-agent | grep Version
pip install --upgrade hermes-agent>=0.9.0
# Alternatively, apply the specific patched release
pip install hermes-agent==0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
