CVE-2026-58174 Overview
CVE-2026-58174 is a cross-profile authorization bypass in Hermes WebUI versions prior to 0.51.521. The /api/session/import handler validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile attribute. As a result, the imported session is persisted with a null profile, and the application's profile authorization check treats a null profile as the default profile. An authenticated user on the default profile can then export the imported session transcript and use its session identifier to read files from a named profile's workspace, defeating profile isolation [CWE-732].
Critical Impact
A low-privileged user on the default profile can read files from any named profile's workspace, breaking tenant-style isolation between profiles in Hermes WebUI.
Affected Products
- Hermes WebUI versions prior to 0.51.521
- Deployments using multiple named profiles for workspace isolation
- /api/session/import handler in api/routes.py
Discovery Timeline
- 2026-06-30 - CVE-2026-58174 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-58174
Vulnerability Analysis
Hermes WebUI uses named profiles to isolate session workspaces from one another. The /api/session/import route validates that the imported session's workspace matches the active named profile before accepting it. However, the handler builds the resulting Session object without assigning the profile field. The persisted session therefore stores a null profile value.
Downstream, the profile authorization check interprets a null profile as the default profile. This mismatch between the validation context and the stored session context enables a user operating in the default profile to access transcripts and files that belong to a different named profile's workspace.
Root Cause
The root cause is an incorrect permission assignment during object construction [CWE-732]. The Session constructor omits the profile argument, and the authorization layer's null-as-default fallback converts that omission into an implicit privilege grant. Validation and enforcement operate on inconsistent state.
Attack Vector
An authenticated user on the default profile imports a session that references a named profile's workspace. Because import-time validation is bound to the active profile, the request succeeds. The stored session record carries a null profile, so subsequent reads of the session transcript, along with any workspace file references it contains, are authorized as default-profile access. The attacker exports the transcript or supplies the session identifier to file-read APIs to exfiltrate content from the target profile's workspace.
model=model,
messages=messages,
tool_calls=body.get("tool_calls", []),
+ profile=get_active_profile_name(),
)
s.pinned = body.get("pinned", False)
with LOCK:
Source: GitHub commit 3d5ef47. The patch adds profile=get_active_profile_name() to the Session constructor in api/routes.py, binding the persisted session to the active profile at import time and eliminating the null-profile fallback.
Detection Methods for CVE-2026-58174
Indicators of Compromise
- Session records in the Hermes WebUI datastore with a null or missing profile field created via the /api/session/import handler.
- Session export or file-read API calls whose session identifier references a workspace outside the requesting user's active profile.
- Unexpected access to named-profile workspace files from accounts that only operate in the default profile.
Detection Strategies
- Audit imported sessions and flag any whose profile value is null or does not match the workspace they reference.
- Correlate /api/session/import requests with subsequent transcript export and file-read calls that cross profile boundaries.
- Alert on default-profile users invoking session identifiers tied to named-profile workspaces.
Monitoring Recommendations
- Enable verbose access logging on /api/session/import, session export, and workspace file-read endpoints.
- Track the running Hermes WebUI version and alert when instances remain below 0.51.521.
- Review the VulnCheck advisory for additional detection guidance.
How to Mitigate CVE-2026-58174
Immediate Actions Required
- Upgrade Hermes WebUI to version 0.51.521 or later as published in GitHub Release v0.51.521.
- Inventory all Hermes WebUI deployments that rely on named profiles for workspace isolation.
- Review historical session records for entries with a null profile and quarantine any that reference workspaces outside the importer's active profile.
Patch Information
The fix is delivered in Hermes WebUI 0.51.521 via Pull Request #4506 (staging Pull Request #4489) and commit 3d5ef47. The patch sets profile=get_active_profile_name() when constructing the Session object in the /api/session/import handler, ensuring imported sessions inherit the active profile rather than defaulting to null.
Workarounds
- Restrict access to the /api/session/import endpoint to trusted administrators until the upgrade is applied.
- Disable session import functionality for users on the default profile if the deployment cannot be upgraded immediately.
- Enforce network-level segmentation between profiles so that cross-profile file reads fail even if authorization is bypassed.
# Verify installed Hermes WebUI version and upgrade if below 0.51.521
pip show hermes-webui | grep -i version
pip install --upgrade 'hermes-webui>=0.51.521'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

