CVE-2026-14628 in hermes-agentinfo

Summary

by MITRE • 07/04/2026

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extract_media of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability resides within the NousResearch hermes-agent software version 2026.5.16 and earlier, specifically affecting the extract_media function located in gateway/platforms/base.py. The flaw represents a path traversal vulnerability that allows attackers to manipulate file paths and potentially access unauthorized directories on the system. This particular component serves as a Live Webhook Endpoint which processes incoming requests and handles media file extraction, making it a critical point of entry for malicious actors seeking to exploit the system.

The technical implementation of this vulnerability stems from inadequate input validation within the extract_media function, which fails to properly sanitize user-provided file paths before processing them. When the application receives a webhook request containing crafted path parameters, it processes these inputs without sufficient verification, enabling attackers to traverse directories beyond the intended scope. This weakness aligns with CWE-22 Path Traversal vulnerability classification, where insufficient restrictions on file access allow malicious users to access files outside of their intended directory. The vulnerability's remote exploitability means that attackers can initiate attacks from external networks without requiring physical access to the system, significantly expanding the attack surface.

The operational impact of this vulnerability is substantial as it could enable unauthorized access to sensitive data, system files, and potentially lead to complete system compromise. Attackers could leverage this path traversal flaw to read arbitrary files on the server, potentially accessing configuration files, database credentials, or other confidential information stored in directories above the application's intended scope. The public availability of exploit code increases the risk profile substantially, as it removes the need for attackers to develop custom exploitation techniques and allows even less sophisticated threat actors to potentially compromise affected systems.

Mitigation strategies should include immediate patching of the hermes-agent software to the latest available version that addresses this path traversal vulnerability. Organizations should also implement input validation controls at multiple layers including network firewalls, web application firewalls, and application-level sanitization of all user inputs. The principle of least privilege should be enforced by ensuring that the Live Webhook Endpoint operates with minimal necessary permissions and restricted file system access. Additionally, monitoring and logging of webhook endpoint activities should be enhanced to detect anomalous path traversal attempts. This vulnerability aligns with ATT&CK technique T1059 Command and Scripting Interpreter where attackers may use path traversal to gain unauthorized access to system resources, making comprehensive defensive measures essential for protecting against exploitation.

Responsible

VulDB

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00551

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!