CVE-2026-9354 Overview
CVE-2026-9354 is an output escaping vulnerability in NousResearch hermes-agent versions up to 2026.4.16. The flaw resides in the Slack Agent and Mattermost Agent components, where manipulation of the format_message argument leads to improper neutralization of output ([CWE-74]). The issue can be triggered remotely without authentication or user interaction. A public exploit example has been released, increasing the risk of opportunistic abuse. According to the disclosure record, the vendor was contacted prior to public disclosure but did not respond.
Critical Impact
Remote, unauthenticated attackers can inject crafted content through the format_message argument, affecting the integrity and availability of downstream Slack and Mattermost messaging surfaces handled by hermes-agent.
Affected Products
- NousResearch hermes-agent versions up to and including 2026.4.16
- hermes-agent Slack Agent component
- hermes-agent Mattermost Agent component
Discovery Timeline
- 2026-05-24 - CVE-2026-9354 published to the National Vulnerability Database (NVD)
- 2026-05-26 - Last updated in the NVD database
- 2026-05-28 - EPSS score recorded at 0.044%
Technical Details for CVE-2026-9354
Vulnerability Analysis
The vulnerability sits in the message formatting path used by the Slack and Mattermost agents within hermes-agent. The format_message argument is processed without sufficient output neutralization, which is the behavior categorized under [CWE-74] (Improper Neutralization of Special Elements in Output). Attackers can supply crafted input that alters how the agent's output is interpreted by the downstream channel. Because the agents relay structured messages into chat platforms, improperly escaped content can change message semantics, embed unintended directives, or influence agent decisions that consume the output. The attack is reachable across the network and requires no privileges or user interaction.
Root Cause
The agent constructs outbound messages by interpolating attacker-controllable data into the format_message argument without performing context-aware escaping for the target chat platform. Special characters and formatting tokens reach the rendering layer intact, so the boundary between trusted template content and untrusted input collapses at the output stage.
Attack Vector
An unauthenticated remote actor submits crafted content that flows into the format_message argument of the Slack or Mattermost agent. When the agent renders or relays the message, the injected payload is treated as formatting or control content rather than literal text. A public proof-of-concept demonstrating the technique is referenced in the GitHub Gist exploit example and in the VulDB Vulnerability #365317 record.
No verified exploit code is reproduced here. Refer to the linked advisories for technical reproduction details.
Detection Methods for CVE-2026-9354
Indicators of Compromise
- Outbound Slack or Mattermost messages from hermes-agent containing unexpected formatting tokens, control characters, or embedded markup that did not originate from a configured template.
- Log entries showing format_message invocations with payloads containing escape sequences, backticks, or platform-specific formatting directives sourced from untrusted callers.
- Anomalous bot-driven posts in Slack or Mattermost channels that reference commands or links not present in legitimate agent workflows.
Detection Strategies
- Inspect agent runtime logs for format_message calls and compare argument structure against expected template shapes.
- Correlate inbound API or webhook traffic to hermes-agent with outbound chat platform posts to identify input-to-output injection patterns.
- Apply content inspection at the chat platform API boundary to flag messages containing control sequences inconsistent with normal agent output.
Monitoring Recommendations
- Forward hermes-agent application logs and chat platform audit logs into a centralized analytics pipeline for correlation.
- Alert on first-seen formatting patterns originating from hermes-agent service accounts.
- Track version strings of deployed hermes-agent instances to confirm none remain at 2026.4.16 or earlier after remediation.
How to Mitigate CVE-2026-9354
Immediate Actions Required
- Inventory all hermes-agent deployments and confirm version. Treat any instance at or below 2026.4.16 as vulnerable.
- Restrict network reachability of the Slack and Mattermost agent endpoints to trusted callers only until a fixed version is available.
- Disable or unbind the Slack Agent and Mattermost Agent components if they are not in active use.
- Review recent chat channel activity for posts that may reflect exploitation attempts.
Patch Information
At the time of publication, no vendor advisory or fixed release has been published by NousResearch. The disclosure record indicates the vendor did not respond to the disclosure attempt. Monitor the upstream project and the VulDB Vulnerability #365317 entry for updated remediation guidance.
Workarounds
- Wrap calls to the Slack and Mattermost agents with an input sanitization layer that strips or escapes platform-specific formatting characters before they reach format_message.
- Enforce strict allow-lists on which upstream sources can submit content that ultimately flows into format_message.
- Route agent output through a templating gateway that performs context-aware escaping for Slack mrkdwn and Mattermost markdown rendering.
- Rotate Slack and Mattermost bot tokens used by hermes-agent and reduce their scopes to the minimum required for production workflows.
# Example: restrict network exposure of hermes-agent to an internal CIDR
# using iptables until a vendor fix is released
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
