CVE-2026-14628
Received Received - Intake

Path Traversal in NousResearch Hermes Agent

Vulnerability report for CVE-2026-14628, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extract_media of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nousresearch hermes-agent to 2026.5.16 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14628 is an Arbitrary File Read vulnerability in the Hermes Agent's extract_media() function located in gateway/platforms/base.py. This function fails to properly check file paths extracted from MEDIA: tags in LLM responses, allowing an attacker to perform path traversal.

An attacker who can influence the LLM's output via prompt injection can cause the gateway to read and attach files from anywhere on the host filesystem, as long as the file path is absolute or home-relative and ends with a whitelisted extension such as .csv, .txt, .pdf, .zip, .docx, or .xlsx.

This vulnerability bypasses the agent's internal sandbox restrictions and requires no authentication beyond the ability to send messages to the bot. It was patched in versions v2026.5.28 and later by adding stricter path validation.

Impact Analysis

This vulnerability allows an attacker to read arbitrary files on the host system where the Hermes Agent is running, potentially exposing sensitive or confidential information.

Since the attacker can exploit this remotely without authentication, it increases the risk of unauthorized data disclosure.

Although files without extensions like /etc/passwd are not affected, many important files with whitelisted extensions remain vulnerable, which could lead to leakage of business-critical or personal data.

Detection Guidance

This vulnerability involves the extract_media() method in the Hermes Agent's gateway failing to properly validate file paths, allowing an attacker to cause arbitrary file reads via specially crafted MEDIA: tags in LLM responses.

Detection can focus on monitoring for unusual or unauthorized file access attempts, especially those involving files with whitelisted extensions such as .csv, .txt, .pdf, .zip, .docx, and .xlsx.

Since the attack is initiated remotely by sending crafted messages to the bot, network or application logs should be inspected for suspicious inputs containing MEDIA: tags with absolute or home-relative paths.

  • Check application logs for MEDIA: tag inputs containing absolute or home-relative file paths.
  • Monitor file access logs for reads of sensitive files with whitelisted extensions outside expected directories.
  • Use commands like 'lsof' or 'auditctl' on Linux to track file access by the hermes-agent process.
  • Example command to monitor file reads by hermes-agent: sudo auditctl -w /path/to/important/files -p r -k hermes_agent_monitor
  • Search logs for suspicious MEDIA: tag patterns using grep, e.g., grep -r 'MEDIA:' /var/log/hermes-agent/
Mitigation Strategies

Immediate mitigation involves updating the hermes-agent to version v2026.5.28 or later, where the vulnerability is patched by introducing validate_media_delivery_path() to enforce path restrictions.

If updating is not immediately possible, restrict access to the hermes-agent service to trusted users only and monitor for suspicious activity.

Implement network-level controls to limit who can send messages to the bot, reducing the risk of remote exploitation.

Review and harden file system permissions to prevent unauthorized reading of sensitive files, especially those with whitelisted extensions.

Compliance Impact

The vulnerability allows an attacker to perform arbitrary file reads on the host filesystem by exploiting path traversal in the extract_media function. This can lead to unauthorized access to sensitive files with certain extensions, potentially exposing confidential or personal data.

Such unauthorized data access could result in non-compliance with data protection regulations like GDPR or HIPAA, which require strict controls over access to personal and sensitive information.

Because the exploit can be initiated remotely without authentication, it increases the risk of data breaches, which are reportable incidents under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14628. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart