CVE-2026-9352 Overview
CVE-2026-9352 is an information disclosure vulnerability in NousResearch hermes-agent versions up to 2026.4.23. The flaw resides in the _make_run_env function of tools/environments/local.py, part of the Messaging Gateway Handler component. An attacker can manipulate the function remotely to expose sensitive information without authentication or user interaction. The proof-of-concept exploit is publicly available on GitHub Gist, increasing the risk of opportunistic attacks. The vendor was contacted prior to disclosure but did not respond, leaving affected deployments without an official patch. This vulnerability is tracked under [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor].
Critical Impact
Remote, unauthenticated attackers can extract sensitive environment data from hermes-agent deployments using a publicly available exploit, with no vendor patch currently available.
Affected Products
- NousResearch hermes-agent versions up to and including 2026.4.23
- Messaging Gateway Handler component (tools/environments/local.py)
- Deployments exposing the _make_run_env function to network access
Discovery Timeline
- 2026-05-24 - CVE-2026-9352 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9352
Vulnerability Analysis
The vulnerability stems from improper handling of environment data within the _make_run_env function located in tools/environments/local.py. This function constructs the runtime execution environment for the agent. Attackers can manipulate inputs processed by the Messaging Gateway Handler to trigger disclosure of sensitive environment information. The exploit requires no authentication, no user interaction, and can be launched over the network. Because the proof-of-concept code has been published publicly, attackers can replicate the technique without specialized knowledge.
Root Cause
The root cause maps to [CWE-200], where sensitive information held within the run environment context is exposed to unauthorized actors. The _make_run_env function does not adequately restrict what data is returned or logged when invoked through the Messaging Gateway Handler. Environment variables in agent runtimes commonly include API keys, model credentials, and connection strings, all of which become exposure candidates when this control fails.
Attack Vector
The attack vector is network-based. An attacker sends crafted messages to the Messaging Gateway Handler interface that reaches _make_run_env. The handler processes the request and returns environment context that should remain internal. No privileges are required, and the attack complexity is low. Refer to the published GitHub Gist PoC Code and VulDB Vulnerability #365315 for additional technical context. No verified exploit code is reproduced here.
Detection Methods for CVE-2026-9352
Indicators of Compromise
- Unexpected outbound requests to the Messaging Gateway Handler endpoint of hermes-agent from untrusted networks.
- Log entries showing invocations of _make_run_env from external or unauthenticated sources.
- Anomalous responses from hermes-agent containing environment variables, file paths, or credentials.
Detection Strategies
- Inspect application logs for _make_run_env calls originating outside expected internal service callers.
- Deploy network monitoring on the messaging gateway interface to flag requests that return large response payloads consistent with environment dumps.
- Hunt for credential reuse patterns from disclosed hermes-agent environment data across downstream services and APIs.
Monitoring Recommendations
- Enable verbose logging on tools/environments/local.py calls and centralize logs for correlation.
- Alert on access to the Messaging Gateway Handler from IP ranges outside the agent's expected operational scope.
- Rotate any secrets or tokens previously exposed to the hermes-agent process and monitor for their misuse.
How to Mitigate CVE-2026-9352
Immediate Actions Required
- Restrict network access to the hermes-agent Messaging Gateway Handler so only trusted internal callers can reach it.
- Remove sensitive credentials and secrets from environment variables consumed by _make_run_env, replacing them with a secrets manager and runtime fetch.
- Audit historical logs and traffic for prior invocations of _make_run_env that may indicate exploitation.
Patch Information
No vendor patch is available. According to the disclosure, NousResearch was contacted but did not respond. Until a fix is released, operators must rely on compensating controls. Monitor the VulDB Vulnerability #365315 entry and the project repository for updates.
Workarounds
- Place hermes-agent behind an authenticated reverse proxy or service mesh that rejects unauthenticated requests to the messaging gateway.
- Apply egress and ingress firewall rules restricting the agent to known peer services only.
- Strip non-essential environment variables from the agent process and load sensitive values just-in-time within tightly scoped functions.
- Disable the affected component if it is not required for current operational use cases.
# Configuration example: restrict Messaging Gateway Handler exposure with iptables
iptables -A INPUT -p tcp --dport <hermes-agent-port> -s <trusted-subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport <hermes-agent-port> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
