Vulnerability  ·  2026-07-05

NousResearch hermes-agent — Streaming Reasoning Tag Filter Case-Sensitivity Bypass (Info Disclosure)

VulnerabilityLow impactGlobalCVE-2026-14617
A case-sensitivity flaw in hermes-agent's streaming reasoning tag filter lets crafted case variants slip past the filter, exposing content that should have been redacted from the stream. Published to NVD July 3, 2026, CVSS 3.1 (Low); attack complexity high.
Could leak internal reasoning/chain-of-thought content that operators intended to keep hidden from end users, a narrow but real information-disclosure risk in an agentic streaming pipeline.
GatewayStreamConsumer._filter_and_accumulate in gateway/stream_consumer.py improperly handles case sensitivity when filtering streaming reasoning tags, allowing an attacker to bypass the filter using mixed-case tags and leak content intended to be hidden (e.g., hidden chain-of-thought/reasoning tokens).
NousResearch hermes-agent ≤ 2026.4.30
Vendor has assessed the flaw but declined a dedicated fix due to maintenance cost; operators should not rely on this filter alone to keep reasoning tokens confidential.
SecurityVulnerability.io - CVE-2026-14617NVD - CVE-2026-14617
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →