← back
CVE-2026-6829

nesquena hermes-webui Arbitrary Workspace Directory Access

CVSS 5.3 MEDIUMEPSS 0.3%CWE-22
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
21 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected products
nesquena · hermes-webui

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/nesquena/hermes-webui/commit/2a7a5ddfaf39e3b0094b7ac37e9f1dbcf40a3918https://github.com/nesquena/hermes-webui/pull/416https://github.com/nesquena/hermes-webui/releases/tag/v0.50.34https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-workspace-directory-access