CVE-2026-9350 Overview
CVE-2026-9350 is a missing authorization vulnerability in NousResearch hermes-agent versions up to 2026.4.16. The flaw resides in the check_all_command_guards function of tools/approval.py within the Batch Runner component. Attackers can exploit this issue remotely without authentication or user interaction. The vendor was contacted prior to public disclosure but did not respond, and a public exploit is available on GitHub. The weakness is categorized as [CWE-862] Missing Authorization.
Critical Impact
Remote attackers can bypass command approval guards in the Batch Runner, leading to unauthorized actions affecting confidentiality, integrity, and availability of the hermes-agent.
Affected Products
- NousResearch hermes-agent up to and including version 2026.4.16
- Batch Runner component (tools/approval.py)
- Deployments invoking the check_all_command_guards function
Discovery Timeline
- 2026-05-24 - CVE-2026-9350 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9350
Vulnerability Analysis
The vulnerability stems from a missing authorization check inside the check_all_command_guards function of tools/approval.py. This function is responsible for validating that commands routed through the Batch Runner satisfy configured approval guards before execution. Because the routine does not enforce authorization correctly, callers can request guarded operations without satisfying the intended access requirements.
The Batch Runner is designed to mediate sensitive actions on behalf of the hermes-agent. When approval enforcement fails, the agent can carry out commands that should have required explicit operator consent. The defect maps to [CWE-862] Missing Authorization and the public proof-of-concept demonstrates that the bypass is reachable over the network.
The EPSS probability for this CVE is 0.038%, reflecting low observed exploitation activity at this time. However, the availability of a public exploit increases the likelihood of opportunistic abuse against exposed agents.
Root Cause
The root cause is an authorization gap within check_all_command_guards. The guard routine accepts and processes command requests without confirming that the requester is permitted to bypass or satisfy the approval checks. As a result, controls intended to gate command execution can be circumvented.
Attack Vector
The attack vector is network-based, requires no privileges, and needs no user interaction. An attacker with reachability to the hermes-agent Batch Runner can submit crafted requests to exercise the unguarded code path. A public exploit snippet is published as a GitHub gist by the reporter, lowering the barrier to weaponization.
No verified exploit code is republished here. Refer to the GitHub Exploit Code Snippet and the VulDB Vulnerability #365313 entry for technical details.
Detection Methods for CVE-2026-9350
Indicators of Compromise
- Unexpected invocations of the Batch Runner that bypass operator approval prompts.
- Log entries showing check_all_command_guards returning success for requests lacking valid approval context.
- Outbound network requests to hermes-agent endpoints originating from untrusted sources.
Detection Strategies
- Audit application logs for command executions that lack a corresponding approval record.
- Compare executed command IDs against the approval queue to identify guard bypasses.
- Monitor tools/approval.py code paths with instrumentation or tracing to catch unauthorized calls.
Monitoring Recommendations
- Forward hermes-agent and Batch Runner logs to a centralized analytics platform for correlation.
- Alert on anomalous spikes in batch command volume or commands executed outside approved business hours.
- Track network access to the agent and flag connections from previously unseen source addresses.
How to Mitigate CVE-2026-9350
Immediate Actions Required
- Restrict network exposure of the hermes-agent Batch Runner to trusted management networks only.
- Disable the Batch Runner component where it is not strictly required for operations.
- Review approval logs to confirm no unauthorized commands have already been executed.
Patch Information
No vendor patch has been published. The vendor did not respond to disclosure attempts. Track the VulDB Vulnerability #365313 entry and the upstream NousResearch repository for any future fix to tools/approval.py.
Workarounds
- Place the hermes-agent behind an authenticated reverse proxy that enforces access control on Batch Runner endpoints.
- Add a network-layer allowlist limiting Batch Runner access to specific operator workstations.
- Apply a local patch that adds explicit authorization checks inside check_all_command_guards before guard evaluation returns success.
# Configuration example: restrict access to the Batch Runner with iptables
iptables -A INPUT -p tcp --dport <hermes_agent_port> -s <trusted_admin_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport <hermes_agent_port> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
