CVE-2026-9366 NousResearch CVE debrief

Who should care

Organizations deploying NousResearch hermes-agent 2026.4.23 in production environments, particularly those exposing AI agent interfaces to untrusted or remote users. Security teams responsible for AI/ML application security and prompt injection defenses. Developers building applications on top of hermes-agent who need to understand underlying vulnerabilities in dependencies.

Technical summary

The vulnerability exists in the `_scan_context_content` function within `agent/prompt_builder.py` of NousResearch hermes-agent version 2026.4.23. The function fails to properly neutralize special elements in output, leading to an injection condition (CWE-74, CWE-707). Attackers can exploit this remotely to inject malicious content. The attack vector is network-based with low attack complexity and no required privileges or user interaction. The exploit has been publicly released, increasing the risk of active exploitation.

Defensive priority

medium

Recommended defensive actions

• Review and sanitize all inputs to the `_scan_context_content` function in `agent/prompt_builder.py` to prevent injection attacks
• Implement input validation and output encoding for data processed by the prompt builder
• Consider upgrading to a patched version when available from the vendor
• Monitor for suspicious activity targeting prompt injection vectors in AI agent deployments
• Apply principle of least privilege to limit impact of potential injection attacks

Evidence notes

Vulnerability identified in NousResearch hermes-agent 2026.4.23. The specific vulnerable component is the `_scan_context_content` function in `agent/prompt_builder.py`. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-707 (Improper Neutralization) are associated with this vulnerability. The exploit has been made public. Vendor was contacted but did not respond.

Official resources