Description
Hermes WebUI before version 0.51.269 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within _remote_terminal_workspace_candidate(). Attackers can configure a remote terminal working directory to a system directory such as /etc, causing the workspace resolution path to accept it as a trusted local workspace root before the _is_blocked_workspace_path() guard executes, enabling read access to local system files through workspace file-read helpers.
Published: 2026-06-09
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI versions prior to 0.51.269 contain a workspace boundary bypass that allows an authenticated attacker to set a remote terminal's working directory to a system location such as /etc. Because the SSH/remote terminal profile workspace resolution logic in _remote_terminal_workspace_candidate() returns early, the blocked‑root path check in _is_blocked_workspace_path() is never reached, and the request is treated as a trusted local workspace root. This flaw lets the attacker read local system files via the workspace file‑read helpers, exposing sensitive data and violating confidentiality.

Affected Systems

Vulnerable releases are all Hermes WebUI versions before 0.51.269 from the vendor nesquena. The issue is present in the Hermes WebUI service that provides a web UI for managing workspaces; no specific edition or platform was listed.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity vulnerability. Exploitation requires authenticated access to the Hermes WebUI, after which the attacker can manipulate the remote terminal working directory. Because the EPSS score is not provided, current data on exploitation likelihood is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the ability to read system files could allow further compromise if trusted passwords or credentials are exposed.

Generated by OpenCVE AI on June 9, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.269 or later to eliminate the workspace boundary bypass
  • Restrict authenticated users from setting the remote terminal working directory to system directories such as /etc; validate paths before accepting them
  • Review and, if possible, remove the _remote_terminal_workspace_candidate function or enforce a hard code check that prevents early return when the path is blocked

Generated by OpenCVE AI on June 9, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before version 0.51.269 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within _remote_terminal_workspace_candidate(). Attackers can configure a remote terminal working directory to a system directory such as /etc, causing the workspace resolution path to accept it as a trusted local workspace root before the _is_blocked_workspace_path() guard executes, enabling read access to local system files through workspace file-read helpers.
Title Hermes WebUI < 0.51.269 Workspace Boundary Bypass via api/workspace.py
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T20:22:07.143Z

Reserved: 2026-06-02T16:30:15.232Z

Link: CVE-2026-49957

cve-icon Vulnrichment

Updated: 2026-06-09T20:22:02.765Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T17:17:49.083

Modified: 2026-06-09T19:36:10.547

Link: CVE-2026-49957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:00:11Z

Weaknesses