Two significant security vulnerabilities, CVE-2026-14628 and CVE-2026-14627, have been publicly disclosed in hermes-agent, an open-source AI agent framework from NousResearch. The vulnerabilities consist of a path traversal and an improper authentication flaw, respectively. These weaknesses could allow a remote attacker to access restricted files or bypass authentication mechanisms. The situation is exacerbated by the reported unresponsiveness of the vendor to the disclosure attempts and the public availability of an exploit for the path traversal vulnerability. This highlights the security risks associated with rapidly developed, emerging AI tools and frameworks.
extract_media function within the Live Webhook Endpoint component of hermes-agent versions up to 2026.5.16.../) to manipulate file paths. This allows the attacker to read or potentially write to files outside of the intended directory.DiscordAdapter._is_allowed_user function in the Discord Platform Integration component of hermes-agent versions up to 0.15.2.Organizations and developers using this open-source framework in their projects are at risk.
The path traversal vulnerability (CVE-2026-14628) has a public exploit, making it a more immediate threat. This aligns with T1190 - Exploit Public-Facing Application. The improper authentication flaw (CVE-2026-14627) is considered harder to exploit, but it still represents a significant weakness that could be leveraged by a determined attacker, mapping to T1078 - Valid Accounts. The lack of vendor response means these vulnerabilities will likely remain unpatched in the official repository for the foreseeable future.
The impact depends on how the hermes-agent is deployed. If used in a production environment, especially one that is internet-facing, the path traversal vulnerability could lead to a serious data breach. An attacker could steal sensitive data or gain information needed for further attacks.
The improper authentication flaw, while harder to exploit, could undermine the trust and security of AI agents integrated with platforms like Discord, potentially allowing for unauthorized use of the agent, data manipulation, or spam.
More broadly, this incident highlights the growing pains of the open-source AI ecosystem. As new tools are developed and adopted quickly, security often lags behind. The unresponsiveness of the vendor is a major red flag for any organization considering using this software.
../ or ..\ in requests to the hermes-agent webhook endpoint./etc/, /root/).Given the vendor's unresponsiveness, users of hermes-agent are in a difficult position.
DiscordAdapter._is_allowed_user function in their own forks of the code to enforce stricter user validation.The primary mitigation, which is currently unavailable from the vendor. Users may need to apply community patches or fork the project.
Mapped D3FEND Techniques:
Using a WAF for virtual patching to block path traversal exploit attempts.
Mapped D3FEND Techniques:
Running the hermes-agent in a heavily restricted and sandboxed environment to limit the impact of a potential compromise.
Mapped D3FEND Techniques:
The vulnerabilities CVE-2026-14628 and CVE-2026-14627 are publicly disclosed.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.