CVE-2026-9367: NousResearch hermes-agent RCE Vulnerability

CVE-2026-9367 Overview

CVE-2026-9367 is an OS command injection vulnerability in the NousResearch hermes-agent project, affecting versions up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63. The flaw resides in the detect_dangerous_command function within tools/approval.py, part of the terminal_tool component. Attackers can exploit the weakness remotely without authentication or user interaction. The exploit has been publicly disclosed through a GitHub Gist proof-of-concept and VulDB submission. The vendor was contacted before public disclosure but did not respond. The vulnerability is classified under CWE-77, Improper Neutralization of Special Elements used in a Command.

Critical Impact

Remote attackers can inject arbitrary OS commands through the terminal tool's command approval logic, potentially executing code on the host running the hermes-agent.

Affected Products

• NousResearch hermes-agent up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63
• Affected component: terminal_tool
• Affected file and function: tools/approval.py — detect_dangerous_command

Discovery Timeline

• 2026-05-24 - CVE-2026-9367 published to NVD
• 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-9367

Vulnerability Analysis

The vulnerability exists in the detect_dangerous_command function inside tools/approval.py. This function is intended to screen commands routed through the terminal_tool component before execution. Because the function fails to properly neutralize shell metacharacters and command separators, attacker-controlled input is concatenated into a shell command and executed by the underlying operating system. The exploit can be triggered over the network and requires no authentication. A public proof-of-concept is available via GitHub Gist, and a VulDB entry tracks the issue. According to EPSS data dated 2026-05-28, the probability of exploitation places this issue in the 79th percentile, indicating meaningful attacker interest.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-77]. The approval logic that should detect dangerous commands does not adequately sanitize or reject shell metacharacters such as ;, |, &, backticks, or $() substitutions. Input that passes the heuristic check is forwarded to the shell, allowing chained or substituted commands to execute outside the approved command's scope.

Attack Vector

A remote attacker submits crafted input — for example, through an LLM prompt, API call, or any interface that reaches the terminal_tool — containing command separators or substitution syntax. The detect_dangerous_command heuristic fails to reject the payload, and the operating system executes the injected commands with the privileges of the hermes-agent process. No authentication or user interaction is required.

No verified exploit code is reproduced here. See the GitHub Gist PoC and the VulDB entry #365330 for technical details.

Detection Methods for CVE-2026-9367

Indicators of Compromise

• Unexpected child processes spawned by the hermes-agent Python runtime, particularly shells such as /bin/sh, bash, or cmd.exe.
• Shell command strings reaching terminal_tool that contain metacharacters such as ;, &&, ||, |, backticks, or $(...).
• Outbound network connections from the agent host to unfamiliar destinations following a tool-approval event.
• New or modified files in user-writable paths shortly after terminal_tool invocations.

Detection Strategies

• Instrument tools/approval.py with verbose logging of all candidate commands and approval decisions for offline review.
• Apply process-lineage rules that flag the hermes-agent process spawning interpreters or networking utilities such as curl, wget, nc, or python -c.
• Compare executed command strings against the originally requested LLM action to surface mismatches caused by injection.

Monitoring Recommendations

• Forward agent host process and command-line telemetry to a centralized analytics platform for correlation with tool-approval events.
• Alert on any execution path from the hermes-agent process tree that invokes shell metacharacters or substitution syntax.
• Track frequency and diversity of commands processed by detect_dangerous_command to identify abuse patterns.

How to Mitigate CVE-2026-9367

Immediate Actions Required

• Restrict network exposure of any hermes-agent instance until a patched version is available; do not expose the agent to untrusted input sources.
• Run hermes-agent under a dedicated, low-privilege user account with no sudo rights and a constrained filesystem view.
• Disable or remove the terminal_tool component if shell execution is not required for your deployment.
• Audit recent agent logs for prior invocations containing shell metacharacters in commands routed through detect_dangerous_command.

Patch Information

At the time of publication, the vendor had not responded to disclosure attempts and no official patch is referenced in the NVD entry. Track the upstream repository for fixes after commit 5157f5427f19488b31c6fdebbacd15d798ce7f63. Until a maintainer fix is published, treat all deployments as vulnerable and rely on compensating controls. Refer to the VulDB entry #365330 for ongoing tracking.

Workarounds

• Replace shell=True style execution with argument-list invocations such as subprocess.run([...], shell=False) and validate each argument against an allowlist.
• Reject any candidate command containing ;, |, &, \n, backticks, or $(...) before reaching the approval function.
• Require explicit human approval for every command execution rather than relying on heuristic detection.
• Run the agent inside a container or sandbox (for example, with seccomp and read-only root filesystem) to limit blast radius.

# Example hardened invocation: run hermes-agent as an unprivileged user in a constrained container
docker run --rm \
  --user 65534:65534 \
  --read-only \
  --cap-drop=ALL \
  --security-opt no-new-privileges \
  --network=none \
  hermes-agent:locked