NousResearch Hermes-Agent Batch Runner Missing Authorization Vulnerability Allowing Arbitrary Command Execution

A vulnerability exists in NousResearch Hermes-Agent versions through 2026.4.16, specifically within the Batch Runner component. The issue arises in the 'check_all_command_guards' function of 'tools/approval.py', where dangerous commands are automatically approved when executed via 'batch_runner.py'. This oversight occurs because the batch runner does not activate essential interactive environment variables, leading to a missing authorization check. As a result, prompt injection payloads embedded in untrusted JSONL datasets can be exploited to execute arbitrary commands on the host machine without user consent. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability bypasses authorization checks, allowing for arbitrary command execution on the host machine running 'batch_runner.py'. This undermines the command approval system, which is intended to prevent harmful operations. The vulnerability could be exploited to steal credentials, access sensitive files, establish a reverse shell, or compromise datasets shared on platforms like Hugging Face Hub.

Reproduction

To reproduce this vulnerability, upload a malicious JSONL dataset containing prompt injection payloads into a 'batch_runner.py' environment. The absence of key interactive environment variables will cause the approval check to automatically approve all dangerous commands. This can be verified by running the same commands in a CLI mode with 'HERMES_INTERACTIVE' set, where the approval prompts will correctly block the commands.