Skip to main content

Hermes WebUI EUVDEUVD-2026-34331

| CVE-2026-11322 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-04 VulnCheck GHSA-wp87-gw3h-3hx6
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 04, 2026 - 22:35 vuln.today
Analysis Generated
Jun 04, 2026 - 22:35 vuln.today
Severity Changed
Jun 04, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jun 04, 2026 - 22:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)

DescriptionCVE.org

Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.

AnalysisAI

Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files outside the designated workspace by placing symlinks that resolve to external host paths and accessing them through the workspace file or listing APIs. Because the vulnerable code only blocked raw '..' traversal and a small denylist of system directories rather than enforcing that resolved targets stay within the workspace root, attackers can disclose sensitive host content such as SSH keys, cloud credentials, and application tokens. No public exploit identified at time of analysis, but the patch and a VulnCheck advisory are published and the fix is straightforward to reverse-engineer from the upstream commit.

Technical ContextAI

Hermes WebUI is a Python-based web interface (cpe:2.3:a:nesquena:hermes_webui) whose workspace abstraction is meant to confine file reads and directory listings to a per-session root directory reachable by both the browser UI and agent/tool calls. The root cause is CWE-59 (Link Following): the prior safe_resolve_ws logic in api/workspace.py treated symlinks placed inside the workspace as user-intentional, normalizing '..' without following the link and only rejecting a small set of blocked system paths (/etc, /proc, /sys, /dev). The fix in commit 7c48c376299b8058fd35127a59aefadded7e4a92 unconditionally calls Path.resolve() on the request and rejects anything whose canonical path is not relative to the resolved workspace root, and list_dir now filters symlink entries whose targets escape the workspace so they are not even advertised in directory listings.

RemediationAI

Vendor-released patch: upgrade to Hermes WebUI v0.51.221 or later, which replaces the permissive symlink handling in api/workspace.py with strict Path.resolve()-based containment and filters escape-pointing symlinks out of directory listings; the fix is in commit 7c48c376299b8058fd35127a59aefadded7e4a92 (PR #3398). If immediate upgrade is not possible, run the Hermes WebUI process under a dedicated low-privilege user whose filesystem view contains no SSH keys, cloud credential files, or application tokens (this neutralizes the disclosure primitive at the cost of breaking any legitimate workflows that read host files), and additionally restrict network access to /api/list and the workspace file-read endpoints to trusted operators only - note this breaks browser UI use by general users and any LLM agent tool calls that legitimately need workspace listings. As a stopgap, audit existing workspace directories for symlinks pointing outside the workspace root and remove them, accepting that this does not prevent re-creation by an attacker with workspace write access.

CVE-2026-58123 CRITICAL
9.3 Jul 09

Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell

CVE-2026-58122 CRITICAL
9.3 Jul 09

Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t

CVE-2026-55196 CRITICAL
9.1 Jun 17

Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass

CVE-2026-49973 CRITICAL
9.2 Jun 11

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin

CVE-2026-53871 HIGH
8.6 Jun 17

Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files,

CVE-2026-6832 HIGH
7.2 Apr 21

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic

CVE-2026-49956 HIGH
7.1 Jun 09

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran

CVE-2026-55198 HIGH
7.1 Jun 17

Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra

CVE-2026-55197 HIGH
7.1 Jun 17

Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans

CVE-2026-49955 MEDIUM
6.9 Jun 09

Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availabi

CVE-2026-55205 MEDIUM
6.9 Jun 18

Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint

CVE-2026-58174 MEDIUM
6.0 Jun 30

Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user oper

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy