CVE-2026-7397

April 29, 2026, 9:16 p.m.

1.9
Low

Description

A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.9.0 is able to mitigate this issue. The patch is identified as 311dac197145e19e07df68feba2cd55d896a3cd1. Upgrading the affected component is recommended.

Product(s) Impacted

Vendor Product Versions
Nousresearch
  • Hermes-agent
  • 0.8.0, 0.9.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-59
Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a nousresearch hermes-agent 0.8.0 / / / / / / /
a nousresearch hermes-agent 0.9.0 / / / / / / /

References

https://github.com/NousResearch/hermes-agent/
https://github.com/NousResearch/hermes-agent/commit/311dac197145e19e07df68feba2cd55d896a3cd1
https://github.com/NousResearch/hermes-agent/issues/8734
https://github.com/NousResearch/hermes-agent/pull/8829
https://github.com/NousResearch/hermes-agent/releases/tag/v2026.4.13
https://vuldb.com/submit/803270
https://vuldb.com/vuln/360121
https://vuldb.com/vuln/360121/cti

Tags

CWE-59
[email protected]
2026-04-29
CVE-2026-7397

CVSS Score

1.9 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: LOW
  • Exploit Maturity: PROOF_OF_CONCEPT

    • CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: April 29, 2026, 7:16 p.m.
Last Modified: April 29, 2026, 9:16 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.