Description
A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. This vulnerability affects the function _handle_webhook_request of the file gateway/platforms/feishu.py of the component Webhook Endpoint. Such manipulation leads to resource consumption. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the _handle_webhook_request function of the feishu.py component in NousResearch Hermes Agent. It permits an attacker to send crafted webhook requests that cause excessive resource consumption. This overconsumption can degrade or interrupt service availability, effectively draining CPU or memory and resulting in denial of service. The weakness is a classic resource exhaustion flaw (CWE‑400) combined with an improper error handling flaw (CWE‑404).

Affected Systems

Any installation of NousResearch Hermes Agent up to and including version 2026.4.30 is affected. No newer releases have been confirmed as fixed, and there are no public upgrade paths listed by the vendor at this time. The vulnerability specifically targets the webhook endpoint exposed by the feishu.py module.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate severity, but the flaw can be triggered remotely with no authentication, making it readily exploitable. The exploit has been disclosed publicly and attackers could use it without delay until a patch is deployed. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of widespread exploitation remains uncertain, yet the server‑side nature of the attack and its ability to cause service interruption warrant vigilance.

Generated by OpenCVE AI on June 1, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Request and apply the vendor’s patch as soon as it becomes available.
  • Restrict external access to the Hermes Agent webhook endpoint using firewall rules or network segmentation, limiting traffic to trusted sources.
  • Implement application‑level rate limiting or input validation on the webhook endpoint to mitigate excessive request volumes.
  • Monitor audit logs and performance metrics for abnormal traffic patterns or resource spikes, and consider temporarily disabling the webhook endpoint if high load is detected.

Generated by OpenCVE AI on June 1, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. This vulnerability affects the function _handle_webhook_request of the file gateway/platforms/feishu.py of the component Webhook Endpoint. Such manipulation leads to resource consumption. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title NousResearch hermes-agent Webhook Endpoint feishu.py _handle_webhook_request resource consumption
First Time appeared Nousresearch
Nousresearch hermes-agent
Weaknesses CWE-400
CWE-404
CPEs cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Vendors & Products Nousresearch
Nousresearch hermes-agent
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nousresearch Hermes-agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T04:30:08.987Z

Reserved: 2026-05-31T07:51:32.069Z

Link: CVE-2026-10224

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T06:16:38.657

Modified: 2026-06-01T06:16:38.657

Link: CVE-2026-10224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T08:15:23Z

Weaknesses