Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.
AnalysisAI
Arbitrary file deletion in Hermes WebUI before v0.51.303 allows a low-privileged local attacker to remove files outside the configured workspace boundary by exploiting a TOCTOU race condition in the git_discard function of api/workspace_git.py. An attacker who controls a workspace path component can swap it for a symlink in the narrow window between safe_resolve_ws() validation and the raw shutil.rmtree or Path.unlink deletion call, causing the delete operation to follow the symlink and destroy arbitrary files on the host. No public exploit has been identified at time of analysis and active exploitation is not confirmed (not in CISA KEV); a vendor-released patch in v0.51.303 closes the validation-to-use window.
Technical ContextAI
The vulnerability resides in the git_discard() function in api/workspace_git.py within Hermes WebUI, a Python-based web application for managing AI agent workspaces. CWE-367 (TOCTOU Race Condition) describes the root cause: the code performs a security-relevant check (safe_resolve_ws() path validation to confirm a target is inside the workspace) separately from the security-relevant use (shutil.rmtree or Path.unlink deletion). Because the filesystem state can change between those two operations, a symlink swap during the race window defeats the check. The fix, introduced in commit 4580f58, replaces the raw deletion calls with rmtree_anchored and unlink_anchored - helpers that re-validate the resolved path at the moment of deletion, eliminating the window. The affected code path is triggered only when the delete_untracked=true parameter is passed to git_discard, meaning the vulnerability is confined to the untracked-file discard flow and not general git operations. No CPE string was provided; affected product is Hermes WebUI (github.com/nesquena/hermes-webui) prior to the v0.51.303 release tag.
RemediationAI
Upgrade Hermes WebUI to v0.51.303 or later, released 2026-06-06 and available at github.com/nesquena/hermes-webui/releases/tag/v0.51.303. The fix (commit 4580f584964d640b95c4ffc9245a21ab926bec73, PR #3702) replaces raw shutil.rmtree and Path.unlink calls with rmtree_anchored and unlink_anchored, which re-validate the resolved path at the moment of deletion. If immediate upgrade is not feasible, a targeted workaround is to disable or restrict API calls to git_discard with the delete_untracked=true parameter - for example, via reverse-proxy ACLs or application-layer middleware blocking that parameter - accepting the trade-off that users will lose the ability to discard untracked files via the WebUI. Restricting local filesystem access to the Hermes WebUI process user (principle of least privilege) limits the blast radius if the race is won, since the symlink can only redirect to directories writable or readable by that process account. Reference: github.com/nesquena/hermes-webui/pull/3702 and github.com/nesquena/hermes-webui/pull/3756.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35706
GHSA-qg92-vxjm-x4q9