CVE-2026-7397 Overview
CVE-2026-7397 is a symlink following vulnerability [CWE-59] affecting NousResearch hermes-agent version 0.8.0. The flaw resides in the _check_sensitive_path function within tools/file_tools.py. An authenticated local attacker can manipulate symbolic links to bypass the sensitive path check and cause the agent to operate on files outside the intended scope. A public exploit has been released, increasing the likelihood of opportunistic abuse on affected systems. Upgrading to version 0.9.0 remediates the issue. The fix is tracked under commit 311dac197145e19e07df68feba2cd55d896a3cd1.
Critical Impact
Local attackers can leverage symlink following in _check_sensitive_path to bypass sensitive path validation in hermes-agent 0.8.0, leading to limited integrity and availability impact on files the agent process can access.
Affected Products
- NousResearch hermes-agent 0.8.0
- Component: tools/file_tools.py — function _check_sensitive_path
- Fixed in NousResearch hermes-agent 0.9.0
Discovery Timeline
- 2026-04-29 - CVE-2026-7397 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7397
Vulnerability Analysis
The vulnerability is a symbolic link following weakness classified as [CWE-59]. The _check_sensitive_path function in tools/file_tools.py validates whether a target path falls within a restricted or sensitive area before allowing file operations. The check does not adequately resolve symbolic links before evaluating the path. An attacker with local access can place a symlink that points from a permitted location to a sensitive file. When the agent processes the symlinked path, the check passes against the link itself rather than the resolved target. The agent then operates on the sensitive target file, undermining the path restriction. The EPSS probability is 0.015% (percentile 3.021), reflecting low predicted exploitation activity, though a public exploit exists.
Root Cause
The root cause is improper link resolution during path validation. The _check_sensitive_path function evaluates the textual or lexically normalized path instead of the canonical, fully resolved filesystem path. This time-of-check to time-of-use style gap allows symlink substitution to defeat the sensitivity check.
Attack Vector
Exploitation requires local access and low privileges on the host running hermes-agent. The attacker creates a symbolic link in a directory the agent will process, pointing to a file the validation routine intends to block. The agent then follows the link during a subsequent file tool operation. No user interaction is required. Technical details and the patch commit are available in the GitHub Commit Detail and GitHub Issue Tracker.
No verified proof-of-concept code is published in this advisory data. Refer to the VulDB Vulnerability Detail for the disclosed exploit reference.
Detection Methods for CVE-2026-7397
Indicators of Compromise
- Creation of symbolic links inside directories that hermes-agent reads or writes, particularly links resolving outside the intended working tree.
- File access events from the hermes-agent process targeting paths flagged as sensitive by _check_sensitive_path.
- Presence of hermes-agent version 0.8.0 binaries or Python package metadata on hosts.
Detection Strategies
- Audit installed Python packages and source trees for hermes-agent 0.8.0 and verify the patched commit 311dac197145e19e07df68feba2cd55d896a3cd1 is present.
- Enable filesystem auditing (auditd on Linux) for symlink, symlinkat, and openat syscalls originating from the hermes-agent process.
- Correlate agent file operations with the canonicalized resolved path rather than the supplied path to spot validation bypass attempts.
Monitoring Recommendations
- Log all file tool invocations made by hermes-agent and capture both the requested path and the resolved real path.
- Alert when the agent process opens files under directories explicitly listed in its sensitive path policy.
- Track new symlink creation events by non-administrative users in directories used by the agent.
How to Mitigate CVE-2026-7397
Immediate Actions Required
- Upgrade hermes-agent from 0.8.0 to 0.9.0 or later, which contains the fix in commit 311dac197145e19e07df68feba2cd55d896a3cd1.
- Inventory all hosts running hermes-agent and prioritize patching systems where untrusted local users can create files.
- Review existing working directories used by the agent and remove unexpected symbolic links pointing outside the intended scope.
Patch Information
The maintainers fixed the issue in version 0.9.0. The relevant commit is 311dac197145e19e07df68feba2cd55d896a3cd1. See the GitHub Pull Request and GitHub Release Notes for change details.
Workarounds
- Restrict local access to hosts running hermes-agent to trusted users only, reducing the attack surface for local symlink placement.
- Run the agent under a dedicated low-privilege account that has no read access to sensitive files outside its working directory.
- Mount the agent's working directory with the nosymfollow option where supported, or place it on a filesystem where symlink creation by non-privileged users is disallowed.
# Configuration example: upgrade hermes-agent to a fixed release
pip install --upgrade "hermes-agent>=0.9.0"
# Verify the installed version
python -c "import importlib.metadata; print(importlib.metadata.version('hermes-agent'))"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

