A vulnerability has been found in NousResearch hermes-agent up to 2026.4.30 and classified as problematic. The impacted element is the function
AIAgent.run_conversation of the file run_agent.py of the component HTTP API. This manipulation of the argument todos causes denial of service.
This vulnerability is handled as CVE-2026-14626. The attack can be initiated remotely. Additionally, an exploit exists.
The vendor was contacted early about this disclosure but did not respond in any way.