Vulnerability  ·  2026-07-07

NousResearch hermes-agent — Path Traversal in skill_view Function

VulnerabilityMedium impactGlobalCVE-2026-14783
A path traversal flaw in hermes-agent's skill-viewing tool function allows crafted 'Name' arguments to escape the intended skills directory and read arbitrary files on the host.
hermes-agent has had a cluster of disclosed vulnerabilities this week; this is a distinct, remotely-triggerable file-read primitive that could expose configuration secrets or credentials on hosts running the framework, though its blast radius remains limited to this single project.
The skill_view function in tools/skills_tool.py fails to sanitize the Name argument, allowing a remote attacker to traverse the filesystem via crafted path values. The exploit has been publicly disclosed.
NousResearch hermes-agent 2026.5.29.2
Check the hermes-agent repository for a patched release; sanitize or allowlist skill-name path components pending an upstream fix.
NVD CVE-2026-14783hermes-agent GitHub
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →