Skip to main content

Hermes WebUI EUVDEUVD-2026-35707

| CVE-2026-49959 HIGH
OS Command Injection (CWE-78)
2026-06-09 disclosure@vulncheck.com GHSA-69x8-4j5h-mmr4
8.7
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 17:43 vuln.today
Analysis Generated
Jun 09, 2026 - 17:43 vuln.today

DescriptionCVE.org

Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.

AnalysisAI

Remote code execution in Hermes WebUI versions prior to 0.51.311 allows authenticated attackers to run arbitrary host commands by planting malicious Git configuration in a workspace repository's .git/config file. The Python backend in api/workspace_git.py invokes Git subprocesses (status, fetch) without hardening, so repo-local directives like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, or inherited GIT_SSH_COMMAND turn read-only operations into command execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor advisory and a VulnCheck disclosure (assigned via disclosure@vulncheck.com) confirm the bug and the corresponding fix.

Technical ContextAI

Hermes WebUI is a Python web application that performs Git operations against user-controlled workspace repositories. The root cause is CWE-78 (OS Command Injection) realized through Git's well-known config-as-code surface: a number of Git settings will execute helper programs (fsmonitor hook, askPass, credential.helper, gitProxy, the ext:: protocol family) and Git honors these from the per-repository .git/config without privilege checks. Because api/workspace_git.py spawned git status and the default-enabled git fetch --prune while inheriting the parent process environment and respecting repo-local config, any attacker who could write into a workspace's .git/config (or restore a crafted repository) could pivot a metadata read into code execution. The patch in commit 938ac9f and PR #3776 (referenced as #3769 in the changelog) passes hardened -c overrides on every Git invocation to neutralize the executable config keys, strips GIT_ASKPASS/SSH_ASKPASS/GIT_SSH/GIT_SSH_COMMAND from the environment, and sets GIT_TERMINAL_PROMPT=0 so HTTPS auth fails fast instead of hanging.

RemediationAI

Vendor-released patch: upgrade Hermes WebUI to v0.51.311 or later, which hardens every workspace Git subprocess with -c overrides for core.fsmonitor, core.askPass, credential.helper, protocol.ext.allow and related keys, removes GIT_ASKPASS/SSH_ASKPASS/GIT_SSH/GIT_SSH_COMMAND from the inherited environment, and sets GIT_TERMINAL_PROMPT=0 (see https://github.com/nesquena/hermes-webui/releases/tag/v0.51.311 and the VulnCheck advisory at https://www.vulncheck.com/advisories/hermes-webui-rce-via-git-configuration-injection). If you cannot upgrade immediately, restrict who can create or restore workspace repositories to fully trusted users, disable the workspace Git integration or any auto-git fetch --prune scheduling so that only manual, audited Git actions run, and run the WebUI under a dedicated low-privilege account with no inherited GIT_*/SSH_* environment variables and no on-disk credential helpers - note that this breaks private HTTPS remotes that rely on stored credentials, and the vendor's guidance after upgrade is to switch those remotes to SSH or another externally authenticated transport. As a stopgap, you can also pre-flight workspace repositories by stripping or refusing any .git/config containing core.fsmonitor, core.askPass, core.gitProxy, credential.helper or protocol.ext.allow keys, accepting that legitimate uses of those keys will also be blocked.

Share

EUVD-2026-35707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy