CVE-2026-9353 Overview
CVE-2026-9353 is an injection vulnerability affecting NousResearch hermes-agent versions up to 2026.4.23. The flaw resides in the agent/skills_guard.py file within the Skills Guard Multi-Word Prompt Handler component. Attackers can manipulate the THREAT_PATTERNS argument to inject malicious input remotely without authentication or user interaction. A public proof-of-concept has been disclosed, increasing the likelihood of opportunistic exploitation. The vendor was contacted prior to disclosure but did not respond. This vulnerability is categorized under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Remote attackers can inject arbitrary content into the Skills Guard prompt handler by manipulating THREAT_PATTERNS, undermining the integrity of agent safety controls.
Affected Products
- NousResearch hermes-agent versions up to and including 2026.4.23
- Component: Skills Guard Multi-Word Prompt Handler (agent/skills_guard.py)
- Deployments exposing the hermes-agent over network-reachable interfaces
Discovery Timeline
- 2026-05-24 - CVE-2026-9353 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9353
Vulnerability Analysis
The vulnerability resides in agent/skills_guard.py, which implements the Skills Guard Multi-Word Prompt Handler in the hermes-agent project. This component is intended to enforce safety constraints by filtering prompts against a set of threat patterns. The THREAT_PATTERNS argument is consumed without proper neutralization of special elements, allowing crafted input to alter the downstream processing logic. Because the attack vector is network-based and requires neither privileges nor user interaction, any reachable instance is exposed. The EPSS data places the immediate exploitation probability at a low percentile, but the existence of a public proof-of-concept may shift that risk over time.
Root Cause
The root cause is improper neutralization of special elements when handling the THREAT_PATTERNS argument inside agent/skills_guard.py. Input intended as a pattern definition flows into a downstream component without sanitization, enabling injection. The Skills Guard module — designed as a safety boundary — becomes the very surface through which the boundary can be subverted.
Attack Vector
An unauthenticated remote attacker submits crafted values to the THREAT_PATTERNS parameter consumed by the Skills Guard Multi-Word Prompt Handler. The injected payload influences how subsequent prompt evaluation is performed, allowing the attacker to bypass or distort threat-pattern checks. No verified exploitation code is reproduced here; refer to the public proof-of-concept and VulDB entries for technical specifics: GitHub Gist PoC, VulDB Vulnerability #365316.
Detection Methods for CVE-2026-9353
Indicators of Compromise
- Unexpected modifications or runtime overrides of the THREAT_PATTERNS variable consumed by agent/skills_guard.py.
- Inbound network requests to hermes-agent endpoints containing pattern-like metacharacters or regex constructs in fields mapped to THREAT_PATTERNS.
- Skills Guard log entries showing prompts that should have been blocked but were permitted through.
Detection Strategies
- Instrument agent/skills_guard.py to log the source, length, and content hash of THREAT_PATTERNS values at runtime.
- Add input validation alerts when THREAT_PATTERNS values arrive from untrusted network sources rather than configuration.
- Correlate Skills Guard bypass events with the calling identity and source IP to identify probing behavior.
Monitoring Recommendations
- Monitor process telemetry for hermes-agent Python workers spawning unexpected child processes or network connections.
- Track outbound traffic from hermes-agent hosts for anomalous destinations after prompt-handling events.
- Centralize hermes-agent application logs in a SIEM and alert on Skills Guard rule-evaluation anomalies.
How to Mitigate CVE-2026-9353
Immediate Actions Required
- Restrict network exposure of hermes-agent instances to trusted internal networks until a fix is available.
- Treat all THREAT_PATTERNS inputs from non-administrative sources as untrusted and reject them at the ingress layer.
- Inventory all deployments running hermes-agent at version 2026.4.23 or earlier and prioritize them for remediation.
Patch Information
No vendor patch has been published at the time of disclosure. The vendor was contacted prior to public disclosure but did not respond. Track the VulDB Vulnerability #365316 entry and the project's repository for any subsequent release that addresses neutralization of the THREAT_PATTERNS input.
Workarounds
- Wrap or fork agent/skills_guard.py to enforce strict allow-listing of THREAT_PATTERNS values and reject any input containing unexpected metacharacters.
- Place hermes-agent behind an authenticating reverse proxy or API gateway that filters request fields mapped to THREAT_PATTERNS.
- Run the agent process under a least-privilege account with egress filtering to limit the impact of any successful injection.
# Configuration example
# Example ingress filter (illustrative) to reject suspicious THREAT_PATTERNS payloads
# at a reverse proxy in front of hermes-agent
location /agent/ {
if ($arg_THREAT_PATTERNS ~* "[;|&`$()<>]") {
return 400;
}
proxy_pass http://hermes_agent_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
