Impact
The vulnerability exists in the GatewayStreamConsumer._filter_and_accumulate function within the Streaming Reasoning Tag Filter component of the NousResearch Hermes Agent. Improper case‑sensitive handling allows malicious input to bypass tag filtering, potentially exposing data or causing misclassification. The issue can be triggered remotely, has a high attack complexity rating, and is considered difficult to exploit, yet it has already been disclosed publicly.
Affected Systems
Usable in NousResearch Hermes Agent releases up to and including version 2026.4.30. The flaw is located in gateway/stream_consumer.py of the Streaming Reasoning Tag Filter component, and affects any deployment that incorporates this component regardless of other installed software.
Risk and Exploitability
The CVSS score of 2.3 signals a low severity assessment. The EPSS value of less than 1 % and the absence from CISA’s KEV catalog further suggest limited real‑world exploit likelihood. While remote initiation is possible, the high complexity and noted difficulty of exploitation mean that the risk to unpatched systems remains modest, though the lack of an official fix warrants caution.
OpenCVE Enrichment