NousResearch Hermes-Agent Remote Code Execution Vulnerability via Dashboard Plugin Bypass

A remote code execution vulnerability has been identified in NousResearch Hermes-Agent version 2026.4.23. The issue arises in the CLI web-dashboard interface, specifically within the '_discover_dashboard_plugins' function of 'hermes_cli/web_server.py'. The vulnerability is triggered by manipulating the 'HERMES_ENABLE_PROJECT_PLUGINS' environment variable, leading to an incorrect evaluation that bypasses security measures. This flaw can only be exploited with local access.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context of the user running the Hermes web server or dashboard, even if they have disabled project plugins through the 'HERMES_ENABLE_PROJECT_PLUGINS' variable.

Reproduction

To reproduce this vulnerability, set the 'HERMES_ENABLE_PROJECT_PLUGINS' environment variable to 'false' or '0' to opt-out of project plugins. Then, run the Hermes web server or dashboard while in a directory containing a malicious project plugin that exploits the bypass. The untrusted plugin will be executed immediately, leading to remote code execution.