NousResearch Hermes-Agent CVE-2026-10221 — Context Compression Injection
AI relevance: The vulnerability sits in run_agent.py's _compress_context function — the component responsible for compressing the LLM agent's conversational context — making it an injection attack surface specific to agent execution pipelines rather than a generic app flaw.
- CVE-2026-10221 affects NousResearch hermes-agent up to version 0.12.0
- CVSS 7.3 (High severity), classified under CWE-74 (Improper Neutralization of Special Elements)
- The
_compress_contextfunction inrun_agent.pyfails to properly sanitize context data before compression, enabling injection payloads - Attack can be initiated remotely with no authentication or user interaction required
- A working exploit is publicly available, raising the risk of opportunistic exploitation
- NousResearch did not respond to disclosure contact attempts per the advisory record
- This is the first CVE disclosed for the hermes-agent framework, signaling that open-source agent frameworks are now getting CVE-level scrutiny
Why it matters
Agent context compression is a core component of any LLM agent system — it reduces token costs and manages context windows. When the compression layer itself is injectable, attackers can manipulate what the agent "remembers" and how it reasons, creating a memory-poisoning vector at the infrastructure level. This compounds with the memory-poisoning attack surface discussed in prior coverage.
What to do
- If running hermes-agent ≤ 0.12.0, isolate from untrusted input until a patch is released
- Audit context compression logic in any custom agent framework for unsanitized data flow
- Monitor for exploitation attempts targeting hermes-agent deployments
- Consider context compression as part of your agent threat model — the compression layer is now an attack surface
Sources: