Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Hermes WebUI prior to 0.51.44 - Release T contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process.
AnalysisAI
Path traversal in Hermes WebUI's session import endpoint allows authenticated low-privileged attackers to read arbitrary files accessible to the WebUI process. By importing a crafted session JSON with an unrestricted workspace value such as '/', an attacker bypasses the workspace boundary controls that govern every other workspace-bearing endpoint, then leverages the file API to exfiltrate any file readable by the WebUI process user. No active exploitation is confirmed (absent from CISA KEV), EPSS sits at 0.04% in the 12th percentile, and SSVC rates exploitation as none - but the CVSS 4.0 confidentiality impact is rated High, making this a meaningful risk for network-exposed deployments with authenticated user populations.
Technical ContextAI
The vulnerable component is Hermes WebUI by nesquena (CPE: cpe:2.3:a:nesquena:hermes-webui:*:*:*:*:*:*:*:*), a web-based AI assistant interface. The root cause is CWE-22 (Path Traversal): the POST /api/session/import endpoint read the 'workspace' field directly from attacker-supplied JSON without passing it through resolve_trusted_workspace() - the sanitization function already applied to all other workspace-bearing API endpoints. This omission allowed an arbitrary filesystem path (e.g., '/') to be persisted on the Session object. Once stored, the /api/file endpoint, which constructs file paths by joining the session's workspace with caller-supplied relative paths, would resolve traversal sequences against the attacker-controlled root rather than a restricted workspace directory. The CVSS 4.0 AT:P (Attack Requirements Present) component confirms that specific deployment conditions - particularly instances bound to 0.0.0.0 or LAN-exposed with password authentication - elevate exposure, consistent with the vendor's own severity characterization in the release notes.
RemediationAI
Upgrade Hermes WebUI to version 0.51.44 (Release T) or later, which applies workspace validation via resolve_trusted_workspace() to the session import endpoint, closing the path traversal gap - the fix is in commit f00cb74f776f22f02f5eb6b39dfb389f87cc7fd3 and the release is available at https://github.com/nesquena/hermes-webui/releases/tag/v0.51.44. If immediate upgrade is not feasible, block or restrict the POST /api/session/import endpoint at the reverse proxy or WAF layer to prevent crafted imports - note this disables legitimate session import functionality as a trade-off. Additionally, avoid binding the WebUI to 0.0.0.0 on untrusted networks; restrict binding to localhost (127.0.0.1) or a trusted interface to reduce the PR:L attack surface to local accounts only. Audit existing sessions in the database for unexpected workspace values set to filesystem roots such as '/' or '/etc' as an indicator of prior exploitation.
More in Hermes Webui
View allUnauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t
Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass
Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin
Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files,
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic
Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files ou
Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran
Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra
Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans
Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availabi
Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30109
GHSA-wvw9-5wfm-7729