Hermes Agent ships 9 CVEs

Workstation agents are the new security headache — not because they look like ordinary apps, but because they sit on a user’s machine, remember things across sess(repello.ai) the biggest names in that category. Now it has become a pretty clean example of what goes wrong when you combine persistence, autonomy, and broad acces(repello.ai)ed CVEs in four days in March 2026, with one bug scored at 9.9 on CVSS and several others tied to the very features that make the product attractive in the first place. (repello.ai) ### What is Hermes Agent? Hermes Agent is an open-source agent from Nous Research built around a simple pitch: the agent “grows with you.” It keeps memory across sessions, improves its own skills, and can run across messaging platforms and other interfaces instead of living inside one chat window. That design helped it spread fast — the main GitHub repo shows roughly 130,000 stars, and the official site describes it as a persistent personal agent rather than a one-off chatbot. (github.com) ### What actually happened? T(repello.ai)ine CVEs were disclosed against Hermes Agent, as summarized in Repello’s May 2 post. Repello frames the episode less as a one-bad-release problem and more as a stress test for the whole “always-on agent on your workstation” model. The reason is simple — the flaws were spread across authentication, file handling, skills, and memory behavior, not one isolated module. (repello.ai) ### Why is the 9.9 score such a big deal? Because 9.9(github.com) to hand over full root access by default. Repello says the top issue was remote code execution via crafted skill manifests. In plain English, that means a maliciously prepared skill package could trick the agent into running attacker-controlled code. For a tool meant to install capabilities and act on a user’s behalf, that is about as bad as the failure mode gets. (repello.ai) ### Were the other bugs the s(repello.ai)m. NVD entries already show multiple distinct Hermes Agent issues published in late April 2026, including improper authentication in the API server key handler and a path traversal flaw in the WeChat Work adapter. Repello’s broader point is that five of the nine CVEs landed in the memory and personalization layer, which is the part Hermes emphasizes most heavily. So the weak spots were not random edge cases — they clustered around core product behavior. (nvd.nist.gov)make agents harder to secure? Because memory turns one bad interaction into a durable problem. A normal chat session forgets what happened when you close it. A persistent agent can retrieve poisoned instructions later, blend them into future reasoning, and then call tools with that tainted context. Repello highlights indirect prompt injection through retrieved memory as a workstation-agent-specific failure mode, and says standard endpoint tools often miss it because the dangerous action can look like normal agent behavior rather than malware execution. (repello.ai) ### Can teams just ban these tools? Probably not. Repello’s argument is that engineers install workstation agents on personal devices and connect them to company systems anyway, often through MCP servers or other sanctioned interfaces. That means the realistic defense is not a blanket ban. It is discovery, classification, runtime controls, manifest validation, memory isolation, prompt-layer monitoring, and detailed tool-call logging. Basically — govern the agent you already have, not the imaginary one you think nobody installed. (repello.ai)eal lesson is that agent security is shifting from “did the model say something bad?” to “what can this software remember, reach, and execute over time?” Hermes Agent is still moving fast — its latest GitHub release was published April 30, 2026 — but the security story now sits right next to the product story. If the features users love are persistent memory and self-improving skills, then those same features also become the attack surface. (github.com) ### Bottom line? This(repello.ai)off visible: the more your agent behaves like a durable digital coworker, the more it needs controls that look like endpoint security, application security, and model security all at once. (repello.ai)