CVE-2026-7397

MEDIUM 4.4

NousResearch hermes-agent file_tools.py _check_sensitive_path symlink

CVSS Score

4.4

EPSS Score

0.0%

EPSS Percentile

0th

A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.9.0 is able to mitigate this issue. The patch is identified as 311dac197145e19e07df68feba2cd55d896a3cd1. Upgrading the affected component is recommended.

CWE	CWE-61 CWE-59
Vendor	nousresearch
Product	hermes-agent
Published	Apr 29, 2026
Last Updated	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for nousresearch hermes-agent

Be the first to know when new medium vulnerabilities affecting nousresearch hermes-agent are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

NousResearch / hermes-agent

0.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/360121 vuldb.com: https://vuldb.com/vuln/360121/cti vuldb.com: https://vuldb.com/submit/803270 github.com: https://github.com/NousResearch/hermes-agent/issues/8734 github.com: https://github.com/NousResearch/hermes-agent/pull/8829 github.com: https://github.com/NousResearch/hermes-agent/commit/311dac197145e19e07df68feba2cd55d896a3cd1 github.com: https://github.com/NousResearch/hermes-agent/releases/tag/v2026.4.13 github.com: https://github.com/NousResearch/hermes-agent/

Credits

🔍 Yu_Bao (VulDB User)