PatchSiren cyber security CVE debrief
CVE-2026-14628 NousResearch CVE debrief
CVE-2026-14628 is a path traversal vulnerability detected in NousResearch hermes-agent up to version 2026.5.16. The vulnerability specifically impacts the function extract_media in the file gateway/platforms/base.py within the Live Webhook Endpoint component. An attacker can manipulate this function to perform a path traversal attack, which may be initiated remotely. The exploit for this vulnerability is now public and can be used. The vendor, NousResearch, was contacted early in the disclosure process but did not respond.
- Vendor
- NousResearch
- Product
- hermes-agent
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-04
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-04
- Advisory updated
- 2026-07-04
Who should care
Security teams and administrators responsible for NousResearch hermes-agent should be aware of this vulnerability. Given the public availability of the exploit and the remote initiation of the attack, prioritizing mitigation is crucial. This vulnerability has a CVSS score of 5.5, indicating a medium severity level.
Technical summary
The vulnerability CVE-2026-14628 is a path traversal issue in the NousResearch hermes-agent, specifically affecting versions up to 2026.5.16. It is located in the extract_media function of the gateway/platforms/base.py file within the Live Webhook Endpoint component. The vulnerability allows for remote manipulation leading to path traversal. The CVSS:4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a medium severity with a score of 5.5.
Defensive priority
Given the medium severity and public exploit availability, security teams should prioritize patching or mitigating this vulnerability. Immediate action is recommended to prevent potential remote attacks.
Recommended defensive actions
- Apply the patch or update to a version of NousResearch hermes-agent beyond 2026.5.16.
- Implement compensating controls such as input validation and sanitization for the extract_media function.
- Monitor for suspicious activity related to the Live Webhook Endpoint component.
- Perform a thorough inventory check to identify affected systems and prioritize remediation.
- Consider temporary mitigations such as disabling the Live Webhook Endpoint if a patch cannot be immediately applied.
Evidence notes
The CVE-2026-14628 entry was created based on information from various sources, including Vuldb and the National Vulnerability Database (NVD). The vendor, NousResearch, was contacted but did not respond. The exploit is publicly available, increasing the urgency for affected systems to apply mitigations or patches.
Official resources
This article is AI-assisted and based on the supplied source corpus.