CVE-2026-58174
MEDIUMHermes WebUI < 0.51.521 - Cross-Profile Authorization Bypass via Unset Session Profile on Import
Title source: cnaDescription
Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as the default profile by the profile authorization check, a user on the default profile can export the imported session transcript and use its session identifier to read files from the named profile's workspace, defeating the application's profile isolation.
References (5)
Core 5
Core References
Release Notes release-notes
Release Notes
https://github.com/nesquena/hermes-webui/releases/tag/v0.51.521
Technical Description technical-description
Researcher PR
https://github.com/nesquena/hermes-webui/pull/4489
Patch patch
Fix Commit
https://github.com/nesquena/hermes-webui/commit/3d5ef4758e920ba6888d49aaa4341de214693496
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hermes-webui-cross-profile-authorization-bypass-via-unset-session-profile-on-import
Scores
CVSS v3
6.5
EPSS
0.0027
EPSS Percentile
17.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-732
Status
published
Products (1)
nesquena/hermes-webui
< 0.51.521
Published
Jun 30, 2026
Tracked Since
Jun 30, 2026