PatchSiren cyber security CVE debrief
CVE-2026-14626 NousResearch CVE debrief
CVE-2026-14626 is a weakness in the NousResearch hermes-agent up to version 2026.4.30. Specifically, the AIAgent.run_conversation function in the run_agent.py file of the HTTP API component is vulnerable to manipulation of the 'todos' argument, leading to a denial of service (DoS) condition. The vulnerability has a CVSS score of 2.1, indicating a low severity. The attack can be initiated remotely, and public exploit availability could facilitate attacks. However, the vendor, NousResearch, did not respond to early disclosure. As of the CVE publication date of 2026-07-04, there is limited information available on affected products or versions. Further investigation and defensive actions are necessary to address this vulnerability.
- Vendor
- NousResearch
- Product
- hermes-agent
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-04
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-04
- Advisory updated
- 2026-07-04
Who should care
Security teams responsible for NousResearch hermes-agent deployments should prioritize assessment and mitigation of CVE-2026-14626. Given the low CVSS score, this vulnerability may not be a critical priority but still requires attention due to potential remote exploitation and public exploit availability. Organizations using affected versions of NousResearch hermes-agent should review their inventory and apply patches or mitigations as they become available.
Technical summary
CVE-2026-14626 affects NousResearch hermes-agent up to version 2026.4.30, specifically in the AIAgent.run_conversation function of the run_agent.py file within the HTTP API component. The vulnerability allows for remote denial of service (DoS) attacks through manipulation of the 'todos' argument. The CVSS:4.0 vector is AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a low severity score of 2.1. The weakness is categorized under CWE-404. Public exploit availability and remote attack complexity increase the urgency for affected organizations to assess and mitigate this vulnerability.
Defensive priority
CVE-2026-14626 has a low CVSS score of 2.1, but its remote exploitability and public exploit availability suggest a moderate priority for defensive actions. Security teams should focus on inventory checks, patch management, and potential compensating controls for NousResearch hermes-agent deployments.
Recommended defensive actions
- Assess NousResearch hermes-agent deployments to identify affected versions (up to 2026.4.30).
- Monitor for and apply patches or updates from NousResearch as they become available.
- Implement network and API protections to detect and prevent exploitation attempts.
- Review and enhance logging and monitoring for suspicious activity related to the HTTP API.
- Consider compensating controls if patches are not immediately feasible.
Evidence notes
The CVE and NVD records provide initial details on CVE-2026-14626. However, limited information is available on affected products, versions, or user bases. The vendor, NousResearch, did not respond to early disclosure. Further investigation is needed to determine the full scope of impacted systems and to verify vendor remediation plans.
Official resources
This CVE debrief is AI-assisted and based on the supplied source corpus.