CVE-2026-6830

LOW

Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch

Title source: cna

Description

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.

References (5)

[Patch] https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0

View Patch ZIP pw:eip

https://github.com/nesquena/hermes-webui/pull/351

https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132

[Third Party Advisory] https://github.com/nesquena/hermes-webui/releases/tag/v0.50.12

[Third Party Advisory] https://www.vulncheck.com/advisories/nesquena-hermes-webui-environment-variable-credential-leakage-via-profile-switch

Scores

CVSS v3 3.3

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-459 CWE-668

Status published

Products (1)

nesquena/hermes-webui < PR #351

Published Apr 21, 2026

Tracked Since Apr 22, 2026