CVE-2026-53870

Name of the Vulnerable Software and Affected Versions Hermes Agent versions prior to 0.16.0

Description The software creates response store.db and webhook subscriptions.json files with world-readable permissions (mode 0o644). This configuration allows local users with filesystem access to read these files directly, exposing sensitive data such as conversation history, tool payloads, prompts, and per-route HMAC (Hash-based Message Authentication Code) secrets, which are used to verify the integrity and authenticity of messages.

Recommendations Update to version 0.16.0 or later.