CVE-2026-6832
HIGHNesquena Hermes WebUI Arbitrary File Deletion via Unvalidated session_id
Title source: cnaDescription
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.
References (6)
Core 6
Core References
Patch Commit
https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655
Third Party Advisory third-party-advisory
Release Notes
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132
Third Party Advisory third-party-advisory
Release Notes
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id
Scores
CVSS v3
8.1
EPSS
0.0047
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (2)
get-hermes/hermes_web_ui
< 0.50.32
nesquena/hermes-webui
< PR #409
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026