PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14628 NousResearch CVE debrief

CVE-2026-14628 is a path traversal vulnerability detected in NousResearch hermes-agent up to version 2026.5.16. The vulnerability specifically impacts the function extract_media in the file gateway/platforms/base.py within the Live Webhook Endpoint component. An attacker can manipulate this function to perform a path traversal attack, which may be initiated remotely. The exploit for this vulnerability is now public and can be used. The vendor, NousResearch, was contacted early in the disclosure process but did not respond.

Vendor
NousResearch
Product
hermes-agent
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-04
Original CVE updated
2026-07-04
Advisory published
2026-07-04
Advisory updated
2026-07-04

Who should care

Security teams and administrators responsible for NousResearch hermes-agent should be aware of this vulnerability. Given the public availability of the exploit and the remote initiation of the attack, prioritizing mitigation is crucial. This vulnerability has a CVSS score of 5.5, indicating a medium severity level.

Technical summary

The vulnerability CVE-2026-14628 is a path traversal issue in the NousResearch hermes-agent, specifically affecting versions up to 2026.5.16. It is located in the extract_media function of the gateway/platforms/base.py file within the Live Webhook Endpoint component. The vulnerability allows for remote manipulation leading to path traversal. The CVSS:4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a medium severity with a score of 5.5.

Defensive priority

Given the medium severity and public exploit availability, security teams should prioritize patching or mitigating this vulnerability. Immediate action is recommended to prevent potential remote attacks.

Recommended defensive actions

  • Apply the patch or update to a version of NousResearch hermes-agent beyond 2026.5.16.
  • Implement compensating controls such as input validation and sanitization for the extract_media function.
  • Monitor for suspicious activity related to the Live Webhook Endpoint component.
  • Perform a thorough inventory check to identify affected systems and prioritize remediation.
  • Consider temporary mitigations such as disabling the Live Webhook Endpoint if a patch cannot be immediately applied.

Evidence notes

The CVE-2026-14628 entry was created based on information from various sources, including Vuldb and the National Vulnerability Database (NVD). The vendor, NousResearch, was contacted but did not respond. The exploit is publicly available, increasing the urgency for affected systems to apply mitigations or patches.

Official resources

This article is AI-assisted and based on the supplied source corpus.