NousResearch Hermes-Agent Context File Injection Scanner Bypass Vulnerability

A prompt injection vulnerability has been identified in NousResearch Hermes-Agent version 2026.4.23. The issue arises in the context-file injection scanner within the function '_scan_context_content' of 'agent/prompt_builder.py'. This vulnerability allows for the injection of malicious instructions that are executed by the language model (LLM) via the agent's toolset, including commands that could be used for remote code execution. The flaw exists because the regex pattern used to scan context files fails to account for multi-word variations of certain phrases, allowing injected content to bypass the scanner's safeguards. The vulnerability can be exploited by placing a poisoned context file in a directory that the Hermes-Agent will read from when it is executed.

Impact

Exploitation of this vulnerability leads to a complete override of the system prompt used by the language model, allowing for arbitrary instructions to be executed via the agent's tools. This could include commands for remote code execution, manipulation of files under the user's account, exfiltration of credentials or secrets, and persistence of injected instructions across sessions.

Reproduction

To reproduce this vulnerability, clone the NousResearch Hermes-Agent repository at tag v2026.4.23. After ensuring that the required dependencies are installed, place a malicious 'AGENTS.md' file in the same directory where the agent will be executed. This file should contain a payload that exploits the regex bypass by using a multi-word instruction. When the agent is run, it will load the poisoned context file and execute the injected commands via its toolset.

Remediation

Users can manually edit the context files that Hermes-Agent loads to remove any malicious instructions. However, no official patch is available for this vulnerability at the moment.