CVE-2026-9368 Overview
CVE-2026-9368 affects NousResearch hermes-agent versions up to 2026.4.16. The flaw resides in the execute_code function within tools/code_execution_tool.py, part of the Environment Variable Handler component. Manipulation of the affected function leads to a sandbox escape condition that can be triggered remotely without authentication. A public proof-of-concept exists, and the vendor did not respond to early disclosure outreach. The weakness is categorized under [CWE-264] (Permissions, Privileges, and Access Controls).
Critical Impact
Remote attackers can bypass the agent's code execution sandbox by manipulating environment variables, gaining unauthorized influence over code running inside the agent runtime.
Affected Products
- NousResearch hermes-agent versions up to and including 2026.4.16
- Component: tools/code_execution_tool.py Environment Variable Handler
- Function: execute_code
Discovery Timeline
- 2026-05-24 - CVE-2026-9368 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9368
Vulnerability Analysis
The vulnerability exists in the execute_code function of tools/code_execution_tool.py. This function is responsible for executing model-generated or user-supplied code inside the hermes-agent runtime. The Environment Variable Handler does not adequately restrict how environment variables influence the sandboxed execution context. As a result, attackers can shape the runtime environment in ways that weaken or escape the intended isolation boundary.
The weakness maps to [CWE-264], reflecting improper enforcement of permissions around process execution. Because the agent accepts remote inputs that flow into the execution path, an attacker does not need local access or prior authentication to trigger the condition. A public proof-of-concept is hosted on GitHub Gist, increasing the likelihood of opportunistic exploitation.
Root Cause
The execute_code routine trusts environment variables when preparing the child process used to run untrusted code. Sandbox controls rely on assumptions about a clean environment, but those assumptions are not enforced. Attacker-controlled environment values therefore alter interpreter behavior, library loading, or path resolution inside the sandbox.
Attack Vector
The attack is remote and requires no privileges or user interaction. An attacker submits crafted inputs to the agent that propagate into the environment variable handling logic of execute_code. The resulting process inherits attacker-influenced variables, breaking the sandbox boundary and enabling unauthorized actions inside the agent host. See the GitHub Gist PoC Resource and the VulDB Vulnerability #365331 entry for additional technical context.
No verified exploitation code is reproduced here. Refer to the linked references for sanitized technical details.
Detection Methods for CVE-2026-9368
Indicators of Compromise
- Unexpected child processes spawned by hermes-agent with unusual environment variables such as LD_PRELOAD, PYTHONPATH, or PATH overrides
- Outbound network connections originating from the agent's code-execution subprocesses to untrusted destinations
- Modifications to files outside the configured sandbox working directory by processes descending from execute_code
Detection Strategies
- Monitor process creation events where the parent is the hermes-agent runtime and inspect the environment block for attacker-controlled variables
- Alert on Python interpreter invocations that load shared libraries or modules from non-standard paths
- Correlate inbound agent requests with subsequent code execution and filesystem or network activity to identify suspicious request-to-execution chains
Monitoring Recommendations
- Enable verbose logging of the execute_code function, including arguments and environment state at invocation
- Collect endpoint telemetry on processes descending from the hermes-agent service and forward to a centralized analytics platform
- Track changes to tools/code_execution_tool.py and surrounding sandbox configuration files for unauthorized modifications
How to Mitigate CVE-2026-9368
Immediate Actions Required
- Restrict network exposure of any hermes-agent deployment to trusted, authenticated callers only
- Run the agent under a low-privilege service account inside a container or VM with minimal host filesystem access
- Sanitize and explicitly allow-list environment variables passed into execute_code rather than inheriting the parent environment
- Disable or remove the code execution tool if it is not required for your workflow
Patch Information
No vendor patch is available at the time of publication. The vendor was contacted prior to disclosure but did not respond. Monitor the VulDB Vulnerability #365331 entry and the upstream NousResearch repository for updates.
Workarounds
- Wrap execute_code invocations in a hardened sandbox such as a seccomp-restricted container with no inherited environment
- Apply a local source patch that scrubs sensitive environment variables (LD_PRELOAD, LD_LIBRARY_PATH, PYTHONPATH, PATH) before subprocess creation
- Place the agent behind an authenticating reverse proxy and rate-limit requests that reach code execution endpoints
# Example: invoke hermes-agent with a scrubbed environment under a restricted user
sudo -u hermes-svc env -i \
PATH=/usr/local/bin:/usr/bin \
HOME=/var/lib/hermes \
python -m hermes_agent --config /etc/hermes/agent.yaml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
