Description
Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.
Published: 2026-06-04
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI (nesquena) before version 0.51.221 contains a path‑traversal flaw that lets attackers craft symlinks pointing outside the intended workspace root. The workspace file and listing APIs resolve those symlinks without verifying that the final target stays within the protected directory, allowing read access to arbitrary host files handled by the server. Sensitive data such as SSH keys, cloud credentials or application tokens can be disclosed by exploiting this weakness.

Affected Systems

All Hermes WebUI releases prior to v0.51.221 are vulnerable. Users running any of those versions should review their deployments for exposure of the workspace APIs and determine whether they expose this functionality to unauthenticated or low‑privileged consumers.

Risk and Exploitability

The CVSS score is 7.1, and the EPSS information is unavailable; the vulnerability is not present in the CISA KEV list. The flaw can be exploited by sending crafted requests to the public workspace file and listing endpoints, which processes symlinks without path enforcement. Attackers do not need elevated privileges on the host, but they must be able to supply symlinks in the workspace, indicating that the service is writable or receives user‑controlled file uploads. Once exploited, the attacker can read any host file visible to the server process.

Generated by OpenCVE AI on June 4, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.221 or later, which removes the unchecked symlink resolution.
  • Configure the workspace API to reject or sanitize paths that resolve outside the designated directory, ensuring the final target remains within the workspace root.
  • Restrict external exposure of the workspace file and listing endpoints to authenticated users or internal networks, reducing the attack surface.

Generated by OpenCVE AI on June 4, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Thu, 04 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.
Title Hermes WebUI before 0.51.221 Path Traversal via Symlink Workspace Bypass
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-04T21:58:47.308Z

Reserved: 2026-06-04T21:29:10.986Z

Link: CVE-2026-11322

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T22:16:52.283

Modified: 2026-06-04T22:16:52.283

Link: CVE-2026-11322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:15:16Z

Weaknesses