CVE-2026-9350 NousResearch CVE debrief

Who should care

Organizations running NousResearch hermes-agent versions up to 2026.4.16 with the Batch Runner component enabled; security teams managing AI/ML agent infrastructure; DevOps teams deploying automated agent workflows.

Technical summary

The vulnerability resides in the `check_all_command_guards` function within `tools/approval.py` of the hermes-agent Batch Runner component. The function fails to properly enforce authorization checks, allowing remote attackers to submit commands without adequate authentication or authorization validation. The flaw is network-exploitable with low complexity and requires no privileges or user interaction. The publicly available exploit demonstrates the bypass mechanism.

Defensive priority

medium

Recommended defensive actions

• Review and update hermes-agent to a version newer than 2026.4.16 if available, or apply vendor-provided patches
• Implement additional authorization controls at the infrastructure level to compensate for the missing application-level guards
• Monitor for anomalous command execution patterns in Batch Runner deployments, particularly unauthorized or unexpected command sequences
• Restrict network access to hermes-agent Batch Runner instances to trusted administrative hosts only
• Audit `tools/approval.py` for custom patches or workarounds if vendor patches are unavailable
• Review logs for evidence of exploitation attempts targeting the `check_all_command_guards` function

Evidence notes

Vulnerability identified in `tools/approval.py` within the `check_all_command_guards` function. CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization) classified. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/E:P. Public exploit available via referenced gist.

Official resources