CVE-2026-6829
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Summary
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nesquena | hermes-webui | 0 < PR #416 | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nesquena/hermes-webui/pull/416
- https://github.com/nesquena/hermes-webui/commit/2a7a5ddfaf39e3b0094b7ac37e9f1dbcf40a3918
- https://github.com/nesquena/hermes-webui/releases/tag/v0.50.34
- https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-workspace-directory-access
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.