Skip to main content
CVE Vulnerability Database

CVE-2026-9351: Hermes-Agent Path Traversal Vulnerability

CVE-2026-9351 is a path traversal flaw in NousResearch hermes-agent that allows attackers to bypass file access restrictions remotely. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-9351 Overview

CVE-2026-9351 is a path traversal vulnerability in NousResearch hermes-agent versions up to 2026.4.16. The flaw resides in the _is_blocked_device function within tools/file_tools.py, which is part of the read_file tool. Attackers can manipulate file path inputs to bypass intended directory restrictions and access files outside the permitted scope. The vulnerability is remotely exploitable and requires no authentication or user interaction. A public exploit has been released, and the vendor did not respond to the disclosure attempt.

Critical Impact

Remote attackers can read arbitrary files on the host running hermes-agent, exposing configuration files, credentials, and other sensitive data through the read_file agent tool.

Affected Products

  • NousResearch hermes-agent versions up to and including 2026.4.16
  • The read_file tool component in tools/file_tools.py
  • Deployments exposing the agent's file-reading capability to untrusted input

Discovery Timeline

  • 2026-05-24 - CVE-2026-9351 published to the National Vulnerability Database
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-9351

Vulnerability Analysis

The vulnerability is a path traversal flaw [CWE-22] in the _is_blocked_device function of tools/file_tools.py. The function is responsible for validating whether a requested file path references a blocked device or restricted location before the read_file tool processes the request. Insufficient normalization of the supplied path allows attackers to use traversal sequences such as ../ to escape the intended boundary.

Because hermes-agent is an autonomous agent framework that can act on instructions from remote inputs, an attacker capable of influencing tool arguments can direct the agent to read files outside the sandboxed directory. The result is unauthorized disclosure of file contents accessible to the agent process. The CVSS 4.0 vector indicates limited integrity and availability impact alongside the disclosure risk.

Root Cause

The root cause is incomplete validation of user-supplied file paths within _is_blocked_device. The function evaluates the supplied path without fully resolving symbolic links or canonicalizing relative segments before comparing it against the blocklist. Traversal sequences therefore bypass the device and directory restrictions intended to constrain read_file.

Attack Vector

An unauthenticated remote attacker submits a crafted file path argument to the read_file tool exposed by hermes-agent. The path contains traversal sequences that resolve to sensitive locations on the host filesystem. The agent passes the input to _is_blocked_device, the check fails to detect the traversal, and the tool returns the requested file contents. Public proof-of-concept code is available via the GitHub Gist PoC and the VulDB entry #365314.

No verified exploitation code is reproduced here. Refer to the linked references for technical specifics of the proof of concept.

Detection Methods for CVE-2026-9351

Indicators of Compromise

  • Requests to the hermes-agentread_file tool containing ../, ..\, URL-encoded traversal sequences (%2e%2e%2f), or absolute paths to sensitive locations such as /etc/passwd, /proc/self/environ, or ~/.ssh/
  • Unexpected reads of system or credential files originating from the agent process
  • Agent logs showing _is_blocked_device evaluations against paths outside the configured working directory

Detection Strategies

  • Inspect hermes-agent request and tool-invocation logs for path arguments that include parent-directory references or known sensitive file paths
  • Correlate process telemetry with file open events to identify the agent process accessing files outside its expected scope
  • Apply application-layer rules on any reverse proxy or API gateway in front of the agent to flag traversal patterns in tool parameters

Monitoring Recommendations

  • Enable verbose logging for all tool invocations in hermes-agent and forward those logs to a central analytics platform for review
  • Monitor file access by the agent's user account, focusing on reads of configuration files, private keys, environment files, and shell history
  • Track outbound network activity following suspicious read_file calls to detect possible exfiltration of disclosed data

How to Mitigate CVE-2026-9351

Immediate Actions Required

  • Restrict network exposure of hermes-agent to trusted clients only, using firewall rules or authenticated reverse proxies
  • Run the agent under a low-privilege account that lacks read access to credentials, keys, and sensitive system files
  • Disable or remove the read_file tool from the agent's tool registry if it is not required for the deployed workflow
  • Audit recent agent logs for traversal patterns or unexpected file reads that may indicate prior exploitation

Patch Information

No vendor patch has been published at the time of the NVD record. The original reporter indicated the vendor did not respond to the disclosure. Operators should track the VulDB Vulnerability #365314 entry and the project's source repository for any future fix and apply it once available.

Workarounds

  • Wrap read_file invocations with a filesystem chroot, container mount restriction, or AppArmor or SELinux profile that confines the agent to a dedicated directory
  • Add a pre-validation layer that canonicalizes input paths using os.path.realpath and rejects any path that does not begin with the approved base directory
  • Maintain a strict allowlist of file paths or filename patterns the agent may read, rather than relying on the existing blocklist
bash
# Configuration example: run hermes-agent in a restricted directory
mkdir -p /opt/hermes-sandbox
chown hermes:hermes /opt/hermes-sandbox
chmod 750 /opt/hermes-sandbox

# Launch the agent confined to the sandbox using systemd hardening
# /etc/systemd/system/hermes-agent.service
# [Service]
# User=hermes
# WorkingDirectory=/opt/hermes-sandbox
# ProtectSystem=strict
# ProtectHome=true
# ReadOnlyPaths=/
# ReadWritePaths=/opt/hermes-sandbox
# NoNewPrivileges=true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.