Description
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.
Published: 2026-04-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Leakage
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker or a legitimate user to access sensitive provider API keys that were set in a previously active profile. The Hermes-WebUI environment variable loader does not clear variables from the previous profile before loading the next one, so switching profiles preserves environment state. This additive dotenv reload behavior enables cross‑profile leakage of secrets, effectively breaking the security isolation that users expect between separate profile contexts.

Affected Systems

nesquena hermes‑webui. Versions prior to v0.50.12 (including the release tagged v0.50.11 and earlier) are vulnerable. The patch was applied in releases v0.50.12 and later, such as v0.50.132.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. EPSS is not available, so current exploitation probability is unknown, but the lack of a KEV listing suggests no known widespread exploitation. The attack can be performed by any user who can switch profiles within the same Hermes‑WebUI instance; it does not require remote code execution or elevated privileges, only the ability to load a malicious profile. The compromised credentials could then be used to access downstream services or sensitive data.

Generated by OpenCVE AI on April 22, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes‑WebUI to v0.50.12 or later, which clears environment variables on profile switch.
  • If immediate upgrade is not possible, isolate each profile by ensuring it uses a dedicated .env file and restrict file permissions so that other profiles cannot read them.
  • Monitor logs and user activity for unexpected usage of provider API keys that might indicate credential leakage across profiles.

Generated by OpenCVE AI on April 22, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.
Title Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch
Weaknesses CWE-459
CWE-668
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T13:43:58.788Z

Reserved: 2026-04-21T21:22:31.635Z

Link: CVE-2026-6830

cve-icon Vulnrichment

Updated: 2026-04-22T13:42:54.855Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T22:16:20.863

Modified: 2026-04-22T21:20:25.267

Link: CVE-2026-6830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:56Z

Weaknesses