CVE-2026-10548: hermes-agent auth bypass exposes

CISO Take

NousResearch hermes-agent contains an improper authentication flaw (CWE-287) in its credential pool synchronization component — specifically in `_sync_anthropic_entry_from_credentials_file` — allowing a low-privileged local attacker to bypass access controls and read Anthropic API credentials from the agent's credential pool. While the local-only attack vector limits direct internet exposure, AI agent frameworks deployed on shared developer workstations or CI/CD runners represent a realistic lateral movement target where credential theft enables API cost harvesting, unauthorized LLM access, and potential data exfiltration from AI workflows. A proof-of-concept exploit is already public on GitHub and the vendor has not responded to disclosure, meaning there is no official patch or remediation timeline. Organizations using hermes-agent should rotate all associated Anthropic API keys immediately, restrict credential file permissions, and avoid running hermes-agent on shared infrastructure until a patched release is confirmed.

Sources: NVD ATLAS VulDB

What is the risk?

Medium risk overall, but elevated for AI-heavy environments. The CVSS 5.3 score reflects the local-only attack vector (AV:L), which substantially limits the exploitable surface. However, three compounding factors increase residual risk: low attack complexity (AC:L) and low privileges required (PR:L) make exploitation trivial once local access exists; a public PoC exploit lowers the attacker skill threshold to near-zero; and the vendor's non-response to disclosure eliminates any official remediation path, leaving the vulnerability open-ended. Organizations running hermes-agent alongside high-value AI infrastructure — particularly those where API keys grant access to large-context or high-throughput model tiers — should treat this as above-average risk due to the credential pivoting potential.

How does the attack unfold?

Initial Local Access

Attacker gains low-privileged local access to a host running hermes-agent via a malicious Python package, phishing, or lateral movement from a compromised adjacent system.

AML.T0011.001

Authentication Bypass

Attacker executes the public PoC exploit targeting the improper authentication flaw in `_sync_anthropic_entry_from_credentials_file` (credential_pool.py), bypassing access controls on the agent credential pool.

AML.T0106

Credential Harvesting

Attacker reads Anthropic API keys and associated credentials from the agent's credential pool without triggering standard authentication alerts or audit events.

AML.T0083

API Abuse and Cost Harvesting

Stolen credentials are used externally to make unauthorized high-volume LLM API calls at the victim's expense, exfiltrate data processed through the API, or pivot into other services sharing the same credential store.

AML.T0034

Initial Local Access

Attacker gains low-privileged local access to a host running hermes-agent via a malicious Python package, phishing, or lateral movement from a compromised adjacent system.

AML.T0011.001

Authentication Bypass

Attacker executes the public PoC exploit targeting the improper authentication flaw in `_sync_anthropic_entry_from_credentials_file` (credential_pool.py), bypassing access controls on the agent credential pool.

AML.T0106

Credential Harvesting

Attacker reads Anthropic API keys and associated credentials from the agent's credential pool without triggering standard authentication alerts or audit events.

AML.T0083

API Abuse and Cost Harvesting

Stolen credentials are used externally to make unauthorized high-volume LLM API calls at the victim's expense, exfiltrate data processed through the API, or pivot into other services sharing the same credential store.

AML.T0034

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
hermes-agent	—	—	No patch

Do you use hermes-agent? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

7 steps

Rotate all Anthropic API keys associated with any hermes-agent deployment immediately — treat existing keys as potentially compromised.
Restrict filesystem permissions on credential files consumed by credential_pool.py to owner-only (chmod 600, dedicated service account).
Audit Anthropic API usage dashboards for anomalous request volumes, unusual access patterns, or unexpected cost spikes that may indicate active credential abuse.
Isolate hermes-agent processes in single-tenant environments with strict OS-level least-privilege accounts and no shared credential stores.
Do not deploy hermes-agent on shared CI/CD runners or developer workstations that also store other sensitive credentials until NousResearch releases a patched version beyond 2026.4.23.
Set Anthropic API spending limits and enable usage anomaly notifications to detect cost harvesting in early stages.
Monitor the NousResearch hermes-agent GitHub repository for a patched release and apply immediately when available.

How is it classified?

Auth Bypass Data Extraction Agent API AML.T0012 - Valid Accounts AML.T0034 - Cost Harvesting AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - Roles, responsibilities and authorities related to AI systems A.8.4 - AI system operation — security controls

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI risk management across the supply chain MANAGE-2.2 - Mechanisms to sustain AI risk management over time

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-10548?

NousResearch hermes-agent contains an improper authentication flaw (CWE-287) in its credential pool synchronization component — specifically in `_sync_anthropic_entry_from_credentials_file` — allowing a low-privileged local attacker to bypass access controls and read Anthropic API credentials from the agent's credential pool. While the local-only attack vector limits direct internet exposure, AI agent frameworks deployed on shared developer workstations or CI/CD runners represent a realistic lateral movement target where credential theft enables API cost harvesting, unauthorized LLM access, and potential data exfiltration from AI workflows. A proof-of-concept exploit is already public on GitHub and the vendor has not responded to disclosure, meaning there is no official patch or remediation timeline. Organizations using hermes-agent should rotate all associated Anthropic API keys immediately, restrict credential file permissions, and avoid running hermes-agent on shared infrastructure until a patched release is confirmed.

Is CVE-2026-10548 actively exploited?

No confirmed active exploitation of CVE-2026-10548 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-10548?

1. Rotate all Anthropic API keys associated with any hermes-agent deployment immediately — treat existing keys as potentially compromised. 2. Restrict filesystem permissions on credential files consumed by `credential_pool.py` to owner-only (chmod 600, dedicated service account). 3. Audit Anthropic API usage dashboards for anomalous request volumes, unusual access patterns, or unexpected cost spikes that may indicate active credential abuse. 4. Isolate hermes-agent processes in single-tenant environments with strict OS-level least-privilege accounts and no shared credential stores. 5. Do not deploy hermes-agent on shared CI/CD runners or developer workstations that also store other sensitive credentials until NousResearch releases a patched version beyond 2026.4.23. 6. Set Anthropic API spending limits and enable usage anomaly notifications to detect cost harvesting in early stages. 7. Monitor the NousResearch hermes-agent GitHub repository for a patched release and apply immediately when available.

What systems are affected by CVE-2026-10548?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM API integration pipelines, CI/CD pipelines with AI agent automation, Developer workstations with local AI tooling, Multi-tenant AI development environments.

What is the CVSS score for CVE-2026-10548?

CVE-2026-10548 has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM API integration pipelinesCI/CD pipelines with AI agent automationDeveloper workstations with local AI toolingMulti-tenant AI development environments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0034 Cost Harvesting

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.3, A.8.4

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.23. This affects the function _sync_anthropic_entry_from_credentials_file of the file agent/credential_pool.py of the component Credential Pool Synchronization. The manipulation results in improper authentication. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker who has gained low-privileged access to a developer workstation running hermes-agent — via a malicious pip package in the AI development environment, phishing, or lateral movement from a compromised adjacent host — downloads the public PoC exploit from the GitHub gist reference and executes it locally. The exploit targets the authentication bypass in `_sync_anthropic_entry_from_credentials_file` within `agent/credential_pool.py`, reading Anthropic API credentials from the credential pool without triggering proper access controls. The attacker exfiltrates the extracted API keys to an external system and begins making high-volume LLM API calls against the victim's account — consuming paid quota (cost harvesting), processing attacker-controlled inputs to extract sensitive model behavior, or pivoting into other internal services that trust the same credentials. The attack leaves minimal forensic traces if the victim lacks API-level audit logging.

Weaknesses (CWE)

CWE-287 Improper Authentication

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.