CVE-2026-6829

MEDIUM

nesquena hermes-webui Arbitrary Workspace Directory Access

Title source: cna

Description

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.

References (4)

Scores

CVSS v3 6.3
EPSS 0.0003
EPSS Percentile 8.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-22
Status published
Products (1)
nesquena/hermes-webui < PR #416
Published Apr 21, 2026
Tracked Since Apr 22, 2026