File Permission Vulnerability in Hermes Agent by Nous Research
CVE-2026-53870

6.8MEDIUM

Key Information:

Vendor

Nousresearch

Status
Hermes-agent
Vendor
CVE Published:
17 June 2026

What is CVE-2026-53870?

The Hermes Agent, prior to version 0.16.0, has a flaw that results from world-readable permissions for its response_store.db and webhook_subscriptions.json files, which are set to mode 0o644. This configuration allows local users to access and read these files, potentially exposing sensitive information such as conversation history, HMAC secrets, and tool payloads. This vulnerability poses significant risks for users who may inadvertently allow unauthorized access to local filesystem data, making it crucial to update to the latest version to mitigate these risks.

Affected Version(s)

hermes-agent 0 < 0.16.0

hermes-agent 0.16.0

References

https://github.com/NousResearch/hermes-agent/releases/tag...
release-notes
https://github.com/NousResearch/hermes-agent/pull/30917
issue-tracking
https://github.com/NousResearch/hermes-agent/pull/31469
issue-tracking

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.