Submit #800800: NousResearch hermes-agent 0.8.0 Unauthenticated Remote Code Executioninfo

TitleNousResearch hermes-agent 0.8.0 Unauthenticated Remote Code Execution
DescriptionThe hermes-agent API server (OpenAI-compatible HTTP interface) completely disables authentication when no API_SERVER_KEY is configured, which is the default state, any unauthenticated network client can send arbitrary prompts to the agent. The agent's built-in terminal tool then executes OS commands on the host machine — achieving full Remote Code Execution (RCE) without any credentials.
Source⚠️ https://github.com/NousResearch/hermes-agent/issues/6439
User
 Yu-Bao (UID 96702)
Submission04/09/2026 08:03 (3 months ago)
Moderation04/26/2026 17:55 (17 days later)
StatusAccepted
VulDB entry359712 [NousResearch hermes-agent 0.8.0 API_SERVER_KEY api_server.py _check_auth improper authentication]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!