Vulnerability  ·  2026-07-05

NousResearch hermes-agent — HTTP API Denial of Service via 'todos' Parameter

VulnerabilityLow impactGlobalCVE-2026-14626
hermes-agent's HTTP API is vulnerable to a remotely-triggerable denial-of-service condition via crafted values in the 'todos' argument. Published to NVD July 4, 2026, CVSS 4.3 (Medium).
Allows an unauthenticated caller to disrupt an agent's HTTP API availability, impacting any workflow depending on that agent instance, though blast radius is limited to availability (no data compromise).
Manipulation of the 'todos' argument passed to AIAgent.run_conversation in run_agent.py causes a denial-of-service condition, triggerable remotely.
NousResearch hermes-agent ≤ 2026.4.30
No confirmed patched version; apply input-size/type validation on the 'todos' parameter as a workaround.
NVD - CVE-2026-14626
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →