CVE-2026-6829
MEDIUMnesquena hermes-webui Arbitrary Workspace Directory Access
Title source: cnaDescription
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.
References (4)
Core 4
Core References
Patch patch
Patch Commit
https://github.com/nesquena/hermes-webui/commit/2a7a5ddfaf39e3b0094b7ac37e9f1dbcf40a3918
Release Notes release-notes
Release Notes
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.34
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-workspace-directory-access
Scores
CVSS v3
6.3
EPSS
0.0026
EPSS Percentile
17.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
nesquena/hermes-webui
< PR #416
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026