nesquena-hermes

13 exploits Active since Apr 2026
CVE-2026-55205 WRITEUP MEDIUM WRITEUP
Hermes WebUI < 0.51.468 - Resource Exhaustion via Unauthenticated OAuth Flow Endpoint
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.
CVSS 5.3
CVE-2026-53871 WRITEUP HIGH WRITEUP
Hermes WebUI < 0.51.368 - Profile-Scoped Authorization Bypass via Forged hermes_profile Cookie
Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.
CVSS 8.1
CVE-2026-55196 WRITEUP CRITICAL WRITEUP
Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.
CVSS 9.1
CVE-2026-55197 WRITEUP MEDIUM WRITEUP
Hermes WebUI < 0.51.443 - Broken Access Control in /api/session Endpoint
Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET /api/session?session_id=<foreign_id>&messages=1 to retrieve unauthorized conversation transcripts and metadata.
CVSS 6.5
CVE-2026-55198 WRITEUP MEDIUM WRITEUP
Hermes WebUI < 0.51.443 - Cross-Profile Session Data Exfiltration via Session Export Endpoint
Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, enabling attackers to exfiltrate foreign session transcripts by guessing or knowing session identifiers.
CVSS 6.5
CVE-2026-49955 WRITEUP MEDIUM WRITEUP
Hermes WebUI < 0.51.270 Resource Exhaustion via passkey/options
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.
CVSS 5.3
CVE-2026-49956 WRITEUP MEDIUM WRITEUP
Hermes WebUI < 0.51.269 Profile Isolation Bypass via sessions search
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.
CVSS 6.5
CVE-2026-49957 WRITEUP HIGH WRITEUP
Hermes WebUI < 0.51.269 Workspace Boundary Bypass via api/workspace.py
Hermes WebUI before version 0.51.296 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within _remote_terminal_workspace_candidate(). Attackers can configure a remote terminal working directory to a system directory such as /etc, causing the workspace resolution path to accept it as a trusted local workspace root before the _is_blocked_workspace_path() guard executes, enabling read access to local system files through workspace file-read helpers.
CVSS 7.7
CVE-2026-49958 WRITEUP MEDIUM WRITEUP
Hermes WebUI < 0.51.303 TOCTOU Race Condition via git_discard
Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.
CVSS 5.0
CVE-2026-49959 WRITEUP HIGH WRITEUP
Hermes WebUI < 0.51.311 RCE via Git Configuration Injection
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.
CVSS 8.8
CVE-2026-11322 WRITEUP MEDIUM WRITEUP
Hermes WebUI before 0.51.221 Path Traversal via Symlink Workspace Bypass
Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.
CVSS 6.5
CVE-2026-6829 WRITEUP MEDIUM WRITEUP
nesquena hermes-webui Arbitrary Workspace Directory Access
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.
CVSS 6.3
CVE-2026-6832 WRITEUP HIGH WRITEUP
Nesquena Hermes WebUI Arbitrary File Deletion via Unvalidated session_id
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.
CVSS 8.1