CVE-2026-9366 Overview
CVE-2026-9366 is an injection vulnerability [CWE-74] affecting NousResearch hermes-agent version 2026.4.23. The flaw resides in the _scan_context_content function within agent/prompt_builder.py. An attacker can manipulate input processed by this function to inject content into the agent prompt pipeline, with the attack reachable over the network and requiring no authentication or user interaction. A public exploit has been released, and the vendor did not respond to disclosure attempts.
Critical Impact
Remote, unauthenticated attackers can inject content into the agent's prompt construction logic, potentially altering model behavior, leaking context data, or manipulating downstream actions taken by the agent.
Affected Products
- NousResearch hermes-agent version 2026.4.23
- Component: agent/prompt_builder.py
- Function: _scan_context_content
Discovery Timeline
- 2026-05-24 - CVE-2026-9366 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9366
Vulnerability Analysis
The vulnerability is classified under [CWE-74] as an improper neutralization of special elements in output used by a downstream component. The defect exists in the _scan_context_content function of agent/prompt_builder.py, which processes contextual content before that content is incorporated into a constructed prompt. Because the function does not adequately neutralize attacker-controlled markers or directives within the context, injected content can alter how the agent interprets subsequent instructions.
This class of issue is commonly described as prompt injection when applied to large language model (LLM) agent frameworks. The agent treats supplied context as trusted input, allowing crafted payloads to override system instructions, exfiltrate context, or trigger unintended tool calls.
Root Cause
The root cause is missing or insufficient sanitization within _scan_context_content. Content scanned and passed into the prompt builder is not separated from authoritative instructions, so adversarial strings embedded in context are concatenated directly into the final prompt. The vendor was contacted but did not respond, leaving the defect unaddressed at publication.
Attack Vector
The attack is remotely exploitable across a network path. An attacker supplies content that reaches _scan_context_content through any channel the agent ingests, such as documents, retrieved web data, or upstream tool output. Once embedded, the injected directives are evaluated by the LLM as if issued by the operator. A proof-of-concept has been published publicly on GitHub Gist and indexed by VulDB. See the GitHub Gist PoC Repository and VulDB #365329 for technical details.
Detection Methods for CVE-2026-9366
Indicators of Compromise
- Anomalous tool invocations or shell-like instructions appearing in agent context logs that did not originate from the system prompt.
- Outbound requests to unfamiliar domains immediately following ingestion of external content.
- Repeated prompt patterns in prompt_builder traces containing role markers, instruction overrides, or delimiter escapes.
Detection Strategies
- Log every input passed to _scan_context_content and compare against allow-listed schemas before prompt assembly.
- Apply heuristic and regex scanning for known prompt-injection tokens (for example, role tags, system overrides, and base64 blobs) in retrieved context.
- Correlate agent decisions with the source of context content to identify cases where untrusted input drove privileged actions.
Monitoring Recommendations
- Centralize hermes-agent runtime logs and alert on deviations between expected and observed tool-call sequences.
- Monitor network egress from hosts running the agent for connections that follow ingestion of third-party content.
- Track version and dependency state of hermes-agent to ensure deployments do not regress to 2026.4.23.
How to Mitigate CVE-2026-9366
Immediate Actions Required
- Inventory all deployments running hermes-agent2026.4.23 and isolate them from sensitive data sources until remediation is in place.
- Disable or gate the code paths that invoke _scan_context_content on untrusted input.
- Restrict network exposure of the agent to authenticated, trusted callers only.
Patch Information
No vendor patch is available. The vendor did not respond to disclosure, and no fixed version has been published. Operators should track the upstream repository for updates and apply community-maintained mitigations where appropriate.
Workarounds
- Pre-process all external content through a sanitization layer that strips instruction markers and role delimiters before it reaches prompt_builder.py.
- Enforce strict separation between system instructions and user or retrieved context using structured message formats.
- Constrain the agent's tool surface so that any injected directives cannot trigger destructive actions without out-of-band approval.
- Rate-limit and authenticate all interfaces that feed context to the agent to reduce remote attack surface.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
