CVE-2026-9369: Incorrect Comparison in NousResearch hermes-agent
CVE-2026-9369 is a medium severity vulnerability in NousResearch hermes-agent version 2026. 4. 23. It involves an incorrect comparison in the _discover_dashboard_plugins function within the CLI web-dashboard interface, triggered by manipulation of the HERMES_ENABLE_PROJECT_PLUGINS argument. Exploitation requires local access and no user interaction. The vendor has not responded to the disclosure, and no patch or official remediation is currently available. The exploit code has been publicly released but there are no confirmed reports of exploitation in the wild.
AI Analysis
Technical Summary
This vulnerability in NousResearch hermes-agent 2026.4.23 affects the _discover_dashboard_plugins function in the hermes_cli/web_server.py file. An attacker with local access can manipulate the HERMES_ENABLE_PROJECT_PLUGINS argument, causing an incorrect comparison that may lead to unintended behavior. The issue does not require user interaction and has low attack complexity but limited scope due to the need for local privileges. The vendor has not provided a fix or advisory, and no patch information is available.
Potential Impact
The vulnerability allows a local attacker with limited privileges to manipulate plugin discovery logic in the CLI web-dashboard interface, potentially leading to unauthorized plugin activation or other unintended effects. The CVSS 4.8 score reflects a medium impact with limited attack vector (local) and privileges required. There is no evidence of remote exploitation or widespread active exploitation at this time.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Since exploitation requires local access, restricting local user privileges and access to the affected system can reduce risk. Monitor for updates from the vendor for any forthcoming patches or advisories. Avoid running the affected version in untrusted local environments until a fix is released.
CVE-2026-9369: Incorrect Comparison in NousResearch hermes-agent
Description
CVE-2026-9369 is a medium severity vulnerability in NousResearch hermes-agent version 2026. 4. 23. It involves an incorrect comparison in the _discover_dashboard_plugins function within the CLI web-dashboard interface, triggered by manipulation of the HERMES_ENABLE_PROJECT_PLUGINS argument. Exploitation requires local access and no user interaction. The vendor has not responded to the disclosure, and no patch or official remediation is currently available. The exploit code has been publicly released but there are no confirmed reports of exploitation in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in NousResearch hermes-agent 2026.4.23 affects the _discover_dashboard_plugins function in the hermes_cli/web_server.py file. An attacker with local access can manipulate the HERMES_ENABLE_PROJECT_PLUGINS argument, causing an incorrect comparison that may lead to unintended behavior. The issue does not require user interaction and has low attack complexity but limited scope due to the need for local privileges. The vendor has not provided a fix or advisory, and no patch information is available.
Potential Impact
The vulnerability allows a local attacker with limited privileges to manipulate plugin discovery logic in the CLI web-dashboard interface, potentially leading to unauthorized plugin activation or other unintended effects. The CVSS 4.8 score reflects a medium impact with limited attack vector (local) and privileges required. There is no evidence of remote exploitation or widespread active exploitation at this time.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Since exploitation requires local access, restricting local user privileges and access to the affected system can reduce risk. Monitor for updates from the vendor for any forthcoming patches or advisories. Avoid running the affected version in untrusted local environments until a fix is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-23T10:33:18.362Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a12c1f509f6977edb44a35f
Added to database: 5/24/2026, 9:16:37 AM
Last enriched: 5/24/2026, 9:31:32 AM
Last updated: 5/24/2026, 10:21:05 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.