Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.
AnalysisAI
Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files outside the designated workspace by placing symlinks that resolve to external host paths and accessing them through the workspace file or listing APIs. Because the vulnerable code only blocked raw '..' traversal and a small denylist of system directories rather than enforcing that resolved targets stay within the workspace root, attackers can disclose sensitive host content such as SSH keys, cloud credentials, and application tokens. No public exploit identified at time of analysis, but the patch and a VulnCheck advisory are published and the fix is straightforward to reverse-engineer from the upstream commit.
Technical ContextAI
Hermes WebUI is a Python-based web interface (cpe:2.3:a:nesquena:hermes_webui) whose workspace abstraction is meant to confine file reads and directory listings to a per-session root directory reachable by both the browser UI and agent/tool calls. The root cause is CWE-59 (Link Following): the prior safe_resolve_ws logic in api/workspace.py treated symlinks placed inside the workspace as user-intentional, normalizing '..' without following the link and only rejecting a small set of blocked system paths (/etc, /proc, /sys, /dev). The fix in commit 7c48c376299b8058fd35127a59aefadded7e4a92 unconditionally calls Path.resolve() on the request and rejects anything whose canonical path is not relative to the resolved workspace root, and list_dir now filters symlink entries whose targets escape the workspace so they are not even advertised in directory listings.
RemediationAI
Vendor-released patch: upgrade to Hermes WebUI v0.51.221 or later, which replaces the permissive symlink handling in api/workspace.py with strict Path.resolve()-based containment and filters escape-pointing symlinks out of directory listings; the fix is in commit 7c48c376299b8058fd35127a59aefadded7e4a92 (PR #3398). If immediate upgrade is not possible, run the Hermes WebUI process under a dedicated low-privilege user whose filesystem view contains no SSH keys, cloud credential files, or application tokens (this neutralizes the disclosure primitive at the cost of breaking any legitimate workflows that read host files), and additionally restrict network access to /api/list and the workspace file-read endpoints to trusted operators only - note this breaks browser UI use by general users and any LLM agent tool calls that legitimately need workspace listings. As a stopgap, audit existing workspace directories for symlinks pointing outside the workspace root and remove them, accepting that this does not prevent re-creation by an attacker with workspace write access.
More in Hermes Webui
View allUnauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t
Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass
Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin
Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files,
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic
Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran
Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra
Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans
Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availabi
Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint
Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user oper
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34331
GHSA-wp87-gw3h-3hx6