Vulnerability  ·  2026-07-05

NousResearch hermes-agent — Path Traversal in Live Webhook Media Extraction

VulnerabilityMedium impactGlobalCVE-2026-14628
A path traversal vulnerability in hermes-agent's webhook media-extraction handler allows remote, unauthenticated file reads via crafted requests. Published to NVD July 4, 2026, CVSS 5.3 (Medium); public exploit exists.
Exposes files on the host running the agent gateway to unauthenticated remote read, potentially including configuration files, credentials, or conversation logs handled by the agent.
The extract_media function in gateway/platforms/base.py fails to sanitize file paths derived from webhook input, allowing a remote unauthenticated attacker to read files outside the intended directory via the Live Webhook Endpoint.
NousResearch hermes-agent ≤ 2026.5.16
No confirmed fixed version at publication; vendor reportedly unresponsive to disclosure. Restrict exposure of the live webhook endpoint and validate/sandbox file paths as a workaround.
Tenable - CVE-2026-14628CVE.org Record - CVE-2026-14628
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →