NousResearch hermes-agent CVE-2026-10548 — Improper Auth in Credential Pool Sync
AI relevance: hermes-agent is a multi-agent orchestration framework that manages and synchronizes LLM provider credentials — a credential-sync bypass lets local attackers impersonate other agents' API keys and call models they shouldn't have access to.
- CVE-2026-10548 (CVSS 5.3, Medium) was disclosed June 2, 2026 for NousResearch hermes-agent ≤ 2026.4.23.
- The flaw sits in
_sync_anthropic_entry_from_credentials_filewithin the agent's credential-pool synchronization component (agent/credential_pool.py). - The bug class is improper authentication (CWE-287) — the sync function does not correctly validate credentials when merging entries from a shared credentials file into the Anthropic provider pool.
- Exploitability requires local access to the host filesystem, but once achieved an attacker can inject or override credentials in the shared pool.
- This is the second hermes-agent CVE in 48 hours — CVE-2026-10221 (covered June 1) involved a separate credential-leak path in the same framework.
- The vendor has not responded to disclosure; a public exploit is available (EPSS 0.02% — low probability but non-zero).
Why it matters
Multi-agent frameworks pool credentials across dozens of model providers (OpenAI, Anthropic, etc.). A sync bypass means any process with local file access can corrupt or inject credentials, turning a single compromised node into a lateral-movement vector across every LLM API the agent orchestrates. With hermes-agent used for autonomous red-teaming and security evaluation pipelines, this is particularly dangerous in shared lab environments.
What to do
- Audit any deployment of hermes-agent ≤ 2026.4.23; check
agent/credential_pool.pyfor unpatched_sync_anthropic_entry_from_credentials_file. - Restrict filesystem access to the agent's credential directory (no world-readable, no symlink targets from untrusted directories).
- Rotate all API keys stored in the hermes-agent credential pool if local access was possible by any untrusted party.
- Monitor for a vendor patch — follow the hermes-agent repo for updates.