PatchSiren cyber security CVE debrief
CVE-2026-9368 NousResearch CVE debrief
A medium-severity sandbox escape vulnerability exists in NousResearch hermes-agent up to version 2026.4.16. The flaw resides in the `execute_code` function within `tools/code_execution_tool.py`, specifically in the Environment Variable Handler component. Remote attackers can manipulate environment variables to bypass sandbox restrictions. The exploit has been publicly disclosed, and the vendor did not respond to early disclosure attempts. The vulnerability was published on 2026-05-24 and last modified on 2026-05-26.
- Vendor
- NousResearch
- Product
- hermes-agent
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Organizations running NousResearch hermes-agent versions up to 2026.4.16, particularly those exposing code execution capabilities to untrusted or semi-trusted inputs. Security teams managing AI agent deployments with sandboxed code execution features.
Technical summary
The vulnerability stems from improper handling of environment variables in the `execute_code` function of `tools/code_execution_tool.py`. Attackers can remotely manipulate these variables to escape sandbox restrictions. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges or user interaction, with low impacts to confidentiality, integrity, and availability. The exploit is publicly available, increasing immediate risk to unpatched systems.
Defensive priority
medium
Recommended defensive actions
- Review and restrict environment variable handling in sandboxed code execution environments
- Apply principle of least privilege to code execution containers
- Monitor for unauthorized environment variable modifications in hermes-agent deployments
- Consider implementing additional sandbox isolation layers beyond environment variable controls
- Await vendor patch or implement custom mitigations given vendor non-response
Evidence notes
Vulnerability identified in hermes-agent code execution tool; exploit publicly available via GitHub Gist; vendor contact attempted without response.
Official resources
Public disclosure with vendor non-response