Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.
AnalysisAI
Remote code execution in Hermes WebUI versions prior to 0.51.311 allows authenticated attackers to run arbitrary host commands by planting malicious Git configuration in a workspace repository's .git/config file. The Python backend in api/workspace_git.py invokes Git subprocesses (status, fetch) without hardening, so repo-local directives like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, or inherited GIT_SSH_COMMAND turn read-only operations into command execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor advisory and a VulnCheck disclosure (assigned via disclosure@vulncheck.com) confirm the bug and the corresponding fix.
Technical ContextAI
Hermes WebUI is a Python web application that performs Git operations against user-controlled workspace repositories. The root cause is CWE-78 (OS Command Injection) realized through Git's well-known config-as-code surface: a number of Git settings will execute helper programs (fsmonitor hook, askPass, credential.helper, gitProxy, the ext:: protocol family) and Git honors these from the per-repository .git/config without privilege checks. Because api/workspace_git.py spawned git status and the default-enabled git fetch --prune while inheriting the parent process environment and respecting repo-local config, any attacker who could write into a workspace's .git/config (or restore a crafted repository) could pivot a metadata read into code execution. The patch in commit 938ac9f and PR #3776 (referenced as #3769 in the changelog) passes hardened -c overrides on every Git invocation to neutralize the executable config keys, strips GIT_ASKPASS/SSH_ASKPASS/GIT_SSH/GIT_SSH_COMMAND from the environment, and sets GIT_TERMINAL_PROMPT=0 so HTTPS auth fails fast instead of hanging.
RemediationAI
Vendor-released patch: upgrade Hermes WebUI to v0.51.311 or later, which hardens every workspace Git subprocess with -c overrides for core.fsmonitor, core.askPass, credential.helper, protocol.ext.allow and related keys, removes GIT_ASKPASS/SSH_ASKPASS/GIT_SSH/GIT_SSH_COMMAND from the inherited environment, and sets GIT_TERMINAL_PROMPT=0 (see https://github.com/nesquena/hermes-webui/releases/tag/v0.51.311 and the VulnCheck advisory at https://www.vulncheck.com/advisories/hermes-webui-rce-via-git-configuration-injection). If you cannot upgrade immediately, restrict who can create or restore workspace repositories to fully trusted users, disable the workspace Git integration or any auto-git fetch --prune scheduling so that only manual, audited Git actions run, and run the WebUI under a dedicated low-privilege account with no inherited GIT_*/SSH_* environment variables and no on-disk credential helpers - note that this breaks private HTTPS remotes that rely on stored credentials, and the vendor's guidance after upgrade is to switch those remotes to SSH or another externally authenticated transport. As a stopgap, you can also pre-flight workspace repositories by stripping or refusing any .git/config containing core.fsmonitor, core.askPass, core.gitProxy, credential.helper or protocol.ext.allow keys, accepting that legitimate uses of those keys will also be blocked.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35707
GHSA-69x8-4j5h-mmr4