Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-14617

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-03 Jul, 2026 | 21:45
Updated At-03 Jul, 2026 | 21:45
Rejected At-
Credits

NousResearch hermes-agent Streaming Reasoning Tag Filter stream_consumer.py GatewayStreamConsumer._filter_and_accumulate case sensitivity

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: "[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path."

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:03 Jul, 2026 | 21:45
Updated At:03 Jul, 2026 | 21:45
Rejected At:
▼CVE Numbering Authority (CNA)
NousResearch hermes-agent Streaming Reasoning Tag Filter stream_consumer.py GatewayStreamConsumer._filter_and_accumulate case sensitivity

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: "[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path."

Affected Products
Vendor
NousResearch
Product
hermes-agent
CPEs
  • cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Modules
  • Streaming Reasoning Tag Filter
Versions
Affected
  • 2026.4.0
  • 2026.4.1
  • 2026.4.2
  • 2026.4.3
  • 2026.4.4
  • 2026.4.5
  • 2026.4.6
  • 2026.4.7
  • 2026.4.8
  • 2026.4.9
  • 2026.4.10
  • 2026.4.11
  • 2026.4.12
  • 2026.4.13
  • 2026.4.14
  • 2026.4.15
  • 2026.4.16
  • 2026.4.17
  • 2026.4.18
  • 2026.4.19
  • 2026.4.20
  • 2026.4.21
  • 2026.4.22
  • 2026.4.23
  • 2026.4.24
  • 2026.4.25
  • 2026.4.26
  • 2026.4.27
  • 2026.4.28
  • 2026.4.29
  • 2026.4.30
Problem Types
TypeCWE IDDescription
CWECWE-178Improper Handling of Case Sensitivity
CWECWE-697Incorrect Comparison
Type: CWE
CWE ID: CWE-178
Description: Improper Handling of Case Sensitivity
Type: CWE
CWE ID: CWE-697
Description: Incorrect Comparison
Metrics
VersionBase scoreBase severityVector
4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
3.13.1LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C
3.03.1LOW
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C
2.02.1N/A
AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C
Version: 3.0
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C
Version: 2.0
Base score: 2.1
Base severity: N/A
Vector:
AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Eric-a (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-07-03 00:00:00
VulDB entry created2026-07-03 02:00:00
VulDB entry last update2026-07-03 18:36:25
Event: Advisory disclosed
Date: 2026-07-03 00:00:00
Event: VulDB entry created
Date: 2026-07-03 02:00:00
Event: VulDB entry last update
Date: 2026-07-03 18:36:25
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/vuln/376134
vdb-entry
technical-description
https://vuldb.com/vuln/376134/cti
signature
permissions-required
https://vuldb.com/cve/CVE-2026-14617
third-party-advisory
https://vuldb.com/submit/844654
third-party-advisory
https://github.com/NousResearch/hermes-agent/issues/27288
issue-tracking
https://github.com/NousResearch/hermes-agent/pull/28631#issuecomment-4622188016
issue-tracking
patch
https://gist.github.com/YLChen-007/2229e5505bcbb3e15a7ae8fba4c4be37
exploit
https://github.com/NousResearch/hermes-agent/
product
Hyperlink: https://vuldb.com/vuln/376134
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/376134/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/cve/CVE-2026-14617
Resource:
third-party-advisory
Hyperlink: https://vuldb.com/submit/844654
Resource:
third-party-advisory
Hyperlink: https://github.com/NousResearch/hermes-agent/issues/27288
Resource:
issue-tracking
Hyperlink: https://github.com/NousResearch/hermes-agent/pull/28631#issuecomment-4622188016
Resource:
issue-tracking
patch
Hyperlink: https://gist.github.com/YLChen-007/2229e5505bcbb3e15a7ae8fba4c4be37
Resource:
exploit
Hyperlink: https://github.com/NousResearch/hermes-agent/
Resource:
product
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:03 Jul, 2026 | 22:16
Updated At:03 Jul, 2026 | 22:16

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: "[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path."

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.01.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.13.1LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Secondary2.02.1LOW
AV:N/AC:H/Au:S/C:P/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 1.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 2.0
Base score: 2.1
Base severity: LOW
Vector:
AV:N/AC:H/Au:S/C:P/I:N/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-178Primarycna@vuldb.com
CWE-697Primarycna@vuldb.com
CWE ID: CWE-178
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-697
Type: Primary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://gist.github.com/YLChen-007/2229e5505bcbb3e15a7ae8fba4c4be37cna@vuldb.com
N/A
https://github.com/NousResearch/hermes-agent/cna@vuldb.com
N/A
https://github.com/NousResearch/hermes-agent/issues/27288cna@vuldb.com
N/A
https://github.com/NousResearch/hermes-agent/pull/28631#issuecomment-4622188016cna@vuldb.com
N/A
https://vuldb.com/cve/CVE-2026-14617cna@vuldb.com
N/A
https://vuldb.com/submit/844654cna@vuldb.com
N/A
https://vuldb.com/vuln/376134cna@vuldb.com
N/A
https://vuldb.com/vuln/376134/cticna@vuldb.com
N/A
Hyperlink: https://gist.github.com/YLChen-007/2229e5505bcbb3e15a7ae8fba4c4be37
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/NousResearch/hermes-agent/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/NousResearch/hermes-agent/issues/27288
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/NousResearch/hermes-agent/pull/28631#issuecomment-4622188016
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/cve/CVE-2026-14617
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/844654
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/376134
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/376134/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found

CVE-2026-9369
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.23% / 13.56%
||
7 Day CHG~0.00%
Published-24 May, 2026 | 09:00
Updated-26 May, 2026 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NousResearch hermes-agent CLI web-dashboard web_server.py _discover_dashboard_plugins comparison

A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function _discover_dashboard_plugins of the file hermes_cli/web_server.py of the component CLI web-dashboard Interface. Performing a manipulation of the argument HERMES_ENABLE_PROJECT_PLUGINS results in incorrect comparison. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-NousResearch
Product-hermes-agent
CWE ID-CWE-697
Incorrect Comparison
CVE-2020-5301
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3||LOW
EPSS-0.92% / 55.96%
||
7 Day CHG~0.00%
Published-21 Apr, 2020 | 19:50
Updated-04 Aug, 2024 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure of source code in SimpleSAMLphp

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. This issue is fixed in version 1.18.6.

Action-Not Available
Vendor-simplesamlphpsimplesamlphp
Product-simplesamlphpsimplesamlphp
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-178
Improper Handling of Case Sensitivity
Details not found