PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9369 NousResearch CVE debrief

A local privilege issue exists in NousResearch hermes-agent 2026.4.23 within the CLI web-dashboard interface. The _discover_dashboard_plugins function in hermes_cli/web_server.py performs an incorrect comparison when processing the HERMES_ENABLE_PROJECT_PLUGINS argument, which could allow a local attacker to manipulate plugin loading behavior. The vulnerability requires local access and has been assigned a LOW severity CVSS score of 1.9. A proof-of-concept has been publicly disclosed. The vendor was reportedly contacted prior to disclosure but did not respond.

Vendor
NousResearch
Product
hermes-agent
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-24
Original CVE updated
2026-05-26
Advisory published
2026-05-24
Advisory updated
2026-05-26

Who should care

Organizations running NousResearch hermes-agent 2026.4.23 with local multi-user access; security teams monitoring CLI web-dashboard deployments; developers maintaining hermes-agent installations with plugin functionality enabled

Technical summary

The _discover_dashboard_plugins function in hermes_cli/web_server.py of hermes-agent 2026.4.23 contains an incorrect comparison vulnerability (CWE-697) related to HERMES_ENABLE_PROJECT_PLUGINS argument handling. The flaw requires local access to exploit and could allow manipulation of plugin discovery behavior. Attack complexity is low with low privileges required, but impact is limited to local confidentiality, integrity, and availability impacts.

Defensive priority

low

Recommended defensive actions

  • Review local access controls on systems running hermes-agent 2026.4.23
  • Audit HERMES_ENABLE_PROJECT_PLUGINS environment variable usage
  • Monitor for unauthorized plugin loading attempts in hermes_cli/web_server.py
  • Apply vendor patches when available; consider restricting local access to the CLI web-dashboard interface
  • Review gist disclosure for defensive awareness of attack technique

Evidence notes

Vulnerability identified in hermes_cli/web_server.py within the _discover_dashboard_plugins function. CWE-697 (Incorrect Comparison) is the primary weakness classification. CVSS 4.0 vector: AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P.

Official resources

Public disclosure occurred on 2026-05-24 with CVE publication. A proof-of-concept was released publicly. Vendor contact was attempted without response.