TOCTOU Race Condition Vulnerability in Hermes WebUI by nesquena
CVE-2026-49958

4.3MEDIUM

Key Information:

Vendor: Nesquena
Status: Hermes-webui
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-49958?

Hermes WebUI prior to version 0.51.303 is susceptible to a time-of-check time-of-use (TOCTOU) race condition in the git_discard function found in api/workspace_git.py. This vulnerability permits an attacker to delete files outside the defined workspace boundary by exploiting a symlink. Specifically, the attacker can substitute a controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation phase and the execution of the deletion commands (Path.unlink() or shutil.rmtree()). Consequently, this can lead to unintended file removals beyond the intended workspace, significantly compromising data integrity.

Affected Version(s)

hermes-webui 0

References

https://github.com/nesquena/hermes-webui/releases/tag/v0....

release-notes

https://github.com/nesquena/hermes-webui/pull/3702

issue-tracking

https://github.com/nesquena/hermes-webui/pull/3756

issue-tracking

CVSS V4

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

Chia Min Jun Lennon

CVE-2026-49958 Data

JSON