CVE-2026-49957 Overview
CVE-2026-49957 is a workspace boundary bypass vulnerability in Hermes WebUI versions prior to 0.51.296. The flaw resides in the SSH/remote terminal profile workspace resolution logic within the _remote_terminal_workspace_candidate() function. An authenticated attacker can configure a remote terminal working directory to a sensitive system path such as /etc, causing workspace resolution to accept it as a trusted local workspace root. The _is_blocked_workspace_path() guard never executes because of an early return, enabling read access to local system files through workspace file-read helpers. The issue is classified under CWE-22 (Path Traversal).
Critical Impact
Authenticated attackers can read arbitrary local system files by configuring a remote terminal working directory to bypass workspace path restrictions.
Affected Products
- Hermes WebUI versions prior to 0.51.296
- Deployments exposing the api/workspace.py remote terminal profile functionality
- Instances allowing authenticated users to configure SSH/remote terminal profiles
Discovery Timeline
- 2026-06-09 - CVE-2026-49957 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-49957
Vulnerability Analysis
The vulnerability stems from incorrect ordering of trust decisions in the workspace resolution pipeline. Hermes WebUI exposes a workspace abstraction that enforces path boundaries through _is_blocked_workspace_path(). This guard normally rejects attempts to access sensitive directories outside permitted workspace roots.
However, the SSH/remote terminal profile code path invokes _remote_terminal_workspace_candidate() before the blocked-path guard executes. The candidate function returns early when a remote terminal working directory is configured, treating that path as a trusted local workspace root. The blocked-path check is never reached for these candidates.
Authenticated attackers exploit this gap to read files from system directories using existing workspace file-read helpers. The impact is confined to confidentiality of files readable by the Hermes WebUI process.
Root Cause
The root cause is a control flow defect where path validation occurs after, rather than before, candidate path acceptance. The early return in _remote_terminal_workspace_candidate() short-circuits the security check, violating the principle that all candidate workspace roots must pass the blocked-path guard before being trusted.
Attack Vector
An authenticated user with permission to configure remote terminal profiles sets the working directory to a target system path such as /etc, /var/log, or /root. Subsequent workspace file-read requests resolve against the attacker-controlled root and return file contents that would otherwise be blocked. No special privilege escalation is required beyond the ability to create or modify a terminal profile.
No verified proof-of-concept code is publicly available. Refer to the VulnCheck Security Advisory and the GitHub Commit for technical specifics of the patch.
Detection Methods for CVE-2026-49957
Indicators of Compromise
- Remote terminal profile configurations referencing system paths such as /etc, /root, /var, or /proc
- Workspace file-read API requests returning content from outside expected project directories
- Audit log entries showing profile modifications followed by file-read calls targeting sensitive paths
- Hermes WebUI process accessing files unrelated to user project workspaces
Detection Strategies
- Inspect persisted remote terminal profile records for working directories pointing at OS paths
- Correlate authenticated user actions that create or update terminal profiles with subsequent workspace file-read calls
- Alert when workspace resolution returns paths outside the configured project root hierarchy
- Review web server access logs for sequential api/workspace.py requests originating from a single session
Monitoring Recommendations
- Enable verbose application logging for the _remote_terminal_workspace_candidate() and _is_blocked_workspace_path() code paths
- Forward Hermes WebUI logs to a centralized log analytics platform for path-traversal pattern matching
- Track unique workspace root values per user and flag deviations from baseline
- Monitor file system reads by the Hermes WebUI service process against an allowlist of expected directories
How to Mitigate CVE-2026-49957
Immediate Actions Required
- Upgrade Hermes WebUI to version 0.51.296 or later immediately
- Audit all existing remote terminal profile configurations for suspicious working directories
- Revoke or restrict authenticated user permissions to create or modify terminal profiles where not required
- Review application and access logs for prior exploitation indicators
Patch Information
The vulnerability is resolved in Hermes WebUI v0.51.296. The fix is documented in Pull Request #3731, Pull Request #3744, and the corresponding commit 91a89fb. The patch reorders the workspace resolution logic so the _is_blocked_workspace_path() guard executes before remote terminal candidates are accepted.
Workarounds
- Restrict access to Hermes WebUI to trusted users until the patched version is deployed
- Disable remote terminal profile creation for non-administrative accounts where supported
- Run the Hermes WebUI process under a least-privilege service account to limit file read scope
- Place the application behind authentication proxies enforcing additional access controls
# Configuration example
# Upgrade Hermes WebUI to the patched release
pip install --upgrade hermes-webui==0.51.296
# Verify the installed version
hermes-webui --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

