Description
A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extract_media of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-07-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the extract_media function of the Live Webhook Endpoint allows an attacker to supply a crafted payload that triggers a path traversal condition. This vulnerability can enable remote actors to read or possibly write arbitrary files on the host running the Hermes Agent, leading to information disclosure or privilege escalation. An exploit is available publicly and can be launched from the network.

Affected Systems

NousResearch Hermes Agent versions up to 2026.5.16 are affected. Any deployments using this component and exposing the Live Webhook Endpoint to external traffic are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity and the EPSS score is not provided, though the issue is publicly disclosed. The vulnerability is not listed in CISA’s KEV catalog. Attacks are remote and can be carried out by sending malicious data to the webhook endpoint, which then processes the payload in the extract_media routine without proper path sanitization. Failure to mitigate could allow an attacker to read sensitive files or alter configuration resources.

Generated by OpenCVE AI on July 5, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Hermes Agent release that addresses path traversal in the Live Webhook Endpoint
  • If an immediate upgrade is not possible, restrict external access to the Live Webhook Endpoint using firewall rules, VPN or IP whitelisting
  • Review the extract_media implementation to enforce canonical path validation and restrict file operations to a safe directory

Generated by OpenCVE AI on July 5, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extract_media of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title NousResearch hermes-agent Live Webhook Endpoint base.py extract_media path traversal
First Time appeared Nousresearch
Nousresearch hermes-agent
Weaknesses CWE-22
CPEs cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Vendors & Products Nousresearch
Nousresearch hermes-agent
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Nousresearch Hermes-agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T13:00:08.104Z

Reserved: 2026-07-03T17:07:53.319Z

Link: CVE-2026-14628

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')