CVE-2026-9367 NousResearch CVE debrief

Who should care

Organizations running NousResearch hermes-agent with terminal_tool enabled, particularly those exposing agent interfaces to untrusted networks or integrating with automated workflow systems.

Technical summary

The vulnerability resides in the `detect_dangerous_command` function within `tools/approval.py` of the terminal_tool component in NousResearch hermes-agent. Insufficient input sanitization allows remote attackers to inject and execute arbitrary operating system commands. The attack vector is network-accessible with low attack complexity. The affected code is present in commits up to and including 5157f5427f19488b31c6fdebbacd15d798ce7f63.

Defensive priority

medium

Recommended defensive actions

• Review and restrict access to hermes-agent deployments, particularly those exposing terminal_tool functionality
• Audit `tools/approval.py` for unsafe command execution patterns and implement strict input validation
• Apply principle of least privilege to any service accounts used by hermes-agent
• Monitor for suspicious command execution patterns in environments running affected versions
• Subscribe to vendor security advisories for NousResearch/hermes-agent repository for patch availability

Evidence notes

Vulnerability affects commit 5157f5427f19488b31c6fdebbacd15d798ce7f63 and earlier. The `detect_dangerous_command` function in `tools/approval.py` fails to properly sanitize input, enabling OS command injection. CWE-77 and CWE-78 are identified as relevant weakness classifications. The exploit has been publicly disclosed via GitHub Gist.

Official resources