Path Traversal Vulnerability in Hermes WebUI by Nesquena
CVE-2026-22677

6MEDIUM

Key Information:

Vendor

Nesquena

Status
Hermes-webui
Vendor
CVE Published:
13 May 2026

What is CVE-2026-22677?

Hermes WebUI versions before 0.51.44 have a path traversal vulnerability that lets authenticated attackers read any file accessible to the WebUI process. By manipulating the session import endpoint with a crafted session and an unrestricted workspace value, attackers can input a blocked filesystem root. This enables them to exploit relative paths in the session file API, potentially leading to unauthorized file access. Users are advised to update to the latest version for security enhancements.

Affected Version(s)

hermes-webui 0

hermes-webui 0 < 0.51.44

hermes-webui f00cb74f776f22f02f5eb6b39dfb389f87cc7fd3

References

https://github.com/nesquena/hermes-webui/releases/tag/v0....
release-notes
https://github.com/nesquena/hermes-webui/pull/2048
issue-tracking
https://github.com/nesquena/hermes-webui/commit/f00cb74f7...
patch

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.