CVE-2026-22677 Overview
CVE-2026-22677 is a path traversal vulnerability [CWE-22] in Hermes WebUI versions prior to 0.51.44. The flaw resides in the session import endpoint, which fails to validate the workspace field within imported session files. An authenticated attacker can supply a blocked filesystem root as the workspace value, then issue subsequent requests to the session file API using relative paths. This bypass allows the attacker to read any file accessible to the Hermes WebUI process. The vulnerability requires valid authentication and network access to the WebUI interface.
Critical Impact
Authenticated attackers can read arbitrary files on the host filesystem, including configuration files, credentials, and session state, limited only by the permissions of the Hermes WebUI process.
Affected Products
- Hermes WebUI versions prior to 0.51.44
- Hermes WebUI session import endpoint
- Hermes WebUI session file API
Discovery Timeline
- 2026-05-13 - CVE-2026-22677 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-22677
Vulnerability Analysis
The vulnerability exists in how Hermes WebUI processes imported session data. The session import endpoint accepts a workspace value without enforcing an allowlist of permitted filesystem roots. After importing a session with a maliciously crafted workspace value, the attacker uses the session file API to request files relative to that workspace. Because the workspace root is unrestricted, relative path segments resolve to arbitrary filesystem locations. The result is read access to files outside the intended session boundary.
Root Cause
The root cause is insufficient input validation on the workspace field of session import payloads. The application trusts the caller-supplied path and uses it as a base directory for subsequent file resolution. No canonicalization or root containment check is applied before joining user-supplied relative paths to the workspace root. This is a textbook [CWE-22] path traversal pattern, where the boundary between user input and filesystem operations is not enforced.
Attack Vector
An authenticated user issues a POST request to the session import endpoint with a session object whose workspace points to a sensitive directory such as / or /etc. The server stores the session with that workspace value. The attacker then calls the session file API with relative path segments such as passwd or shadow, which the server resolves against the malicious workspace and returns to the caller. The attack requires only standard user privileges on the WebUI and proceeds entirely over the network.
The upstream patch updates default state directory handling in .env.example and tightens model loading logic in api/providers.py:
# Port to listen on (default: 8787)
# HERMES_WEBUI_PORT=8787
-# Where to store sessions, workspaces, and other state (default: ~/.hermes/webui-mvp)
+# Where to store sessions, workspaces, and other state (default: ~/.hermes/webui)
# HERMES_WEBUI_STATE_DIR=~/.hermes/webui
# Default workspace directory shown on first launch
Source: GitHub Commit f00cb74
Detection Methods for CVE-2026-22677
Indicators of Compromise
- Session import requests containing workspace values pointing to filesystem roots such as /, /etc, /root, C:\, or other directories outside the expected Hermes state directory.
- Session file API requests using traversal sequences or relative paths that resolve to sensitive files like passwd, shadow, id_rsa, or .env.
- Unusual file read patterns in Hermes WebUI logs targeting files unrelated to the user's normal session activity.
Detection Strategies
- Inspect Hermes WebUI access logs for POST requests to the session import endpoint with abnormal workspace values.
- Correlate session import events with subsequent session file API reads to identify file access outside the expected workspace tree.
- Alert on Hermes WebUI process reads of files owned by other users or located in system directories.
Monitoring Recommendations
- Forward Hermes WebUI application logs and host filesystem audit events to a centralized analytics platform for correlation.
- Baseline normal workspace directory paths used by legitimate users and flag deviations.
- Monitor the parent process of Hermes WebUI for unexpected file opens against /etc, user home directories, and credential stores.
How to Mitigate CVE-2026-22677
Immediate Actions Required
- Upgrade Hermes WebUI to version 0.51.44 or later, which contains the official fix referenced in Pull Request #2048.
- Audit existing stored sessions for workspace values that point outside the intended Hermes state directory and remove any malicious entries.
- Rotate any credentials, tokens, or secrets that may have resided in files readable by the Hermes WebUI process.
Patch Information
The fix is included in Hermes WebUI Release v0.51.44. Patch details are available in GitHub Commit f00cb74 and the corresponding VulnCheck Advisory. The patch tightens workspace handling and adjusts default state directory configuration.
Workarounds
- Restrict network access to Hermes WebUI to trusted users until the patch is applied.
- Run Hermes WebUI under a dedicated low-privilege account with read access only to its intended state directory.
- Apply filesystem-level access controls or a mandatory access control profile that confines the WebUI process to its working directory.
# Example: run Hermes WebUI as a confined service account
sudo useradd --system --home /var/lib/hermes --shell /usr/sbin/nologin hermes
sudo install -d -o hermes -g hermes -m 0750 /var/lib/hermes/webui
export HERMES_WEBUI_STATE_DIR=/var/lib/hermes/webui
sudo -u hermes hermes-webui
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
