Description
A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: "[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path."
Published: 2026-07-03
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the GatewayStreamConsumer._filter_and_accumulate function within the Streaming Reasoning Tag Filter component of the NousResearch Hermes Agent. Improper case‑sensitive handling allows malicious input to bypass tag filtering, potentially exposing data or causing misclassification. The issue can be triggered remotely, has a high attack complexity rating, and is considered difficult to exploit, yet it has already been disclosed publicly.

Affected Systems

Usable in NousResearch Hermes Agent releases up to and including version 2026.4.30. The flaw is located in gateway/stream_consumer.py of the Streaming Reasoning Tag Filter component, and affects any deployment that incorporates this component regardless of other installed software.

Risk and Exploitability

The CVSS score of 2.3 signals a low severity assessment. The EPSS value of less than 1 % and the absence from CISA’s KEV catalog further suggest limited real‑world exploit likelihood. While remote initiation is possible, the high complexity and noted difficulty of exploitation mean that the risk to unpatched systems remains modest, though the lack of an official fix warrants caution.

Generated by OpenCVE AI on July 5, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer release of NousResearch Hermes Agent that resolves the case‑sensitivity bug, if one is available.
  • If no update exists, modify the GatewayStreamConsumer._filter_and_accumulate function to enforce strict case‑sensitive comparison for tag validation.
  • Restrict the streaming interface to authenticated and authorized users only, and enable detailed logging of all tag‑processing activity to detect potential bypass attempts.

Generated by OpenCVE AI on July 5, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 22:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: "[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path."
Title NousResearch hermes-agent Streaming Reasoning Tag Filter stream_consumer.py GatewayStreamConsumer._filter_and_accumulate case sensitivity
First Time appeared Nousresearch
Nousresearch hermes-agent
Weaknesses CWE-178
CWE-697
CPEs cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Vendors & Products Nousresearch
Nousresearch hermes-agent
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Nousresearch Hermes-agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-03T21:45:10.246Z

Reserved: 2026-07-03T16:31:16.337Z

Link: CVE-2026-14617

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:15:15Z

Weaknesses
  • CWE-178

    Improper Handling of Case Sensitivity

  • CWE-697

    Incorrect Comparison