CVE-2026-6829: Hermes WebUI Path Traversal Vulnerability

CVE-2026-6829 Overview

CVE-2026-6829 is a trust-boundary failure vulnerability in nesquena hermes-webui that allows authenticated attackers to manipulate workspace path parameters to access arbitrary directories on disk. By exploiting vulnerable API endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add, attackers can repoint a session workspace to directories outside the intended trusted root and subsequently use ordinary file read and write APIs to access or modify files within the permissions of the hermes-webui process.

Critical Impact
Authenticated attackers can escape the intended workspace sandbox to read or write sensitive files anywhere on the filesystem that the hermes-webui process has access to, potentially leading to data exfiltration, configuration tampering, or further system compromise.

Affected Products

nesquena hermes-webui versions prior to v0.50.34

Discovery Timeline

2026-04-21 - CVE-2026-6829 published to NVD
2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-6829

Vulnerability Analysis

This vulnerability stems from insufficient validation of user-supplied workspace path parameters in the hermes-webui application. The application provides multiple API endpoints that accept workspace directory paths as input parameters but fails to properly validate that these paths remain within the application's intended trusted workspace root. An authenticated user can supply arbitrary filesystem paths—including absolute paths or paths using traversal sequences—to escape the designated workspace boundary.

Once an attacker successfully sets a session workspace to an arbitrary directory, they gain the ability to leverage the application's built-in file manipulation APIs to read, write, or modify files anywhere the hermes-webui process has filesystem permissions. This trust-boundary failure can expose sensitive configuration files, credentials, application source code, or other confidential data present on the server.

Root Cause

The root cause is a path traversal vulnerability (CWE-22) arising from the lack of validation ensuring that user-supplied workspace paths remain within the application's trusted workspace root directory. The original implementation did not enforce containment of workspace paths to a designated sandbox, allowing paths outside the intended boundary to be accepted and used for file operations.

Attack Vector

The attack requires network access and authenticated credentials to the hermes-webui application. An authenticated attacker can craft malicious requests to vulnerable endpoints such as /api/session/new, /api/session/update, /api/chat/start, or /api/workspaces/add with manipulated workspace path parameters. The attack flow involves:

Authenticating to the hermes-webui application
Sending a request to one of the vulnerable endpoints with a workspace path pointing to a sensitive directory (e.g., /etc, /home, or application configuration directories)
Using the application's file read/write APIs to access or modify files within that directory
Extracting sensitive data or implanting malicious content

The security patch introduces the resolve_trusted_workspace function to validate workspace paths:

python

def resolve_trusted_workspace(path: str | Path | None = None) -> Path:
    """Resolve and validate a workspace path under the WebUI's trusted workspace root.

    The trusted root is the WebUI boot-time DEFAULT_WORKSPACE (respects
    HERMES_WEBUI_STATE_DIR for test isolation). Session creation/update and
    workspace-list mutations must stay within that root so callers cannot repoint
    a session to arbitrary filesystem locations outside the intended sandbox.

    Note: _profile_default_workspace() reads the agent's terminal.cwd which may
    differ from the WebUI's configured workspace root — always use DEFAULT_WORKSPACE
    here to stay consistent with how new_session() seeds the initial workspace.
    """
    root = Path(_BOOT_DEFAULT_WORKSPACE).expanduser().resolve()
    candidate = root if path in (None, "") else Path(path).expanduser().resolve()
    if not candidate.exists():
        raise ValueError(f"Path does not exist: {candidate}")
    if not candidate.is_dir():
        raise ValueError(f"Path is not a directory: {candidate}")
    try:
        candidate.relative_to(root)
    except ValueError:
        raise ValueError(f"Path is outside the trusted workspace root: {candidate}")
    return candidate

Source: GitHub Commit

Detection Methods for CVE-2026-6829

Indicators of Compromise

Unusual API requests to /api/session/new, /api/session/update, /api/chat/start, or /api/workspaces/add containing absolute filesystem paths or path traversal sequences (../)
Session workspace values pointing to system directories such as /etc, /root, /home, or application configuration directories
File access logs showing reads or writes to sensitive files outside the intended workspace directory
Anomalous authenticated user activity patterns targeting workspace-related endpoints

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns in workspace-related API parameters
Monitor application logs for workspace path assignments that reference directories outside the expected workspace root
Deploy endpoint detection to identify file access operations by the hermes-webui process to sensitive system directories
Review audit logs for authenticated sessions making rapid changes to workspace configurations

Monitoring Recommendations

Enable verbose logging for all workspace-related API endpoints to capture full request parameters
Configure alerts for any workspace path that resolves outside the application's designated workspace root directory
Monitor file integrity of sensitive system files and directories that could be targeted via this vulnerability
Implement runtime application self-protection (RASP) to detect and block path traversal attempts

How to Mitigate CVE-2026-6829

Immediate Actions Required

Upgrade hermes-webui to version v0.50.34 or later immediately
Review application logs for any evidence of exploitation attempts targeting workspace manipulation endpoints
Audit current session workspaces to identify any pointing to directories outside the intended workspace root
Restrict network access to the hermes-webui application to trusted users and networks until patching is complete

Patch Information

The vulnerability has been addressed in hermes-webui version v0.50.34. The fix introduces the resolve_trusted_workspace function which validates that all workspace paths remain within the trusted workspace root directory established at application boot time. The patch ensures that any attempt to set a workspace path outside the sandbox results in a validation error.

For detailed information about the security fix, refer to:

Workarounds

If immediate patching is not possible, implement network-level access controls to restrict who can access the hermes-webui application
Configure a reverse proxy with request filtering to block workspace path parameters containing path traversal sequences or absolute paths
Run the hermes-webui process with minimal filesystem permissions to limit the impact of potential exploitation
Use container isolation or chroot environments to restrict the application's filesystem view

bash

# Example: Running hermes-webui with restricted filesystem access using Docker
docker run --read-only \
  --tmpfs /tmp \
  -v /app/workspace:/workspace:rw \
  -e HERMES_WEBUI_STATE_DIR=/workspace \
  hermes-webui:v0.50.34

CVE-2026-6829 Overview

Critical Impact
Authenticated attackers can escape the intended workspace sandbox to read or write sensitive files anywhere on the filesystem that the hermes-webui process has access to, potentially leading to data exfiltration, configuration tampering, or further system compromise.

Affected Products

nesquena hermes-webui versions prior to v0.50.34

Discovery Timeline

2026-04-21 - CVE-2026-6829 published to NVD
2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-6829

Vulnerability Analysis

Root Cause

Attack Vector

Authenticating to the hermes-webui application
Sending a request to one of the vulnerable endpoints with a workspace path pointing to a sensitive directory (e.g., /etc, /home, or application configuration directories)
Using the application's file read/write APIs to access or modify files within that directory
Extracting sensitive data or implanting malicious content

The security patch introduces the resolve_trusted_workspace function to validate workspace paths:

python

def resolve_trusted_workspace(path: str | Path | None = None) -> Path:
    """Resolve and validate a workspace path under the WebUI's trusted workspace root.

    The trusted root is the WebUI boot-time DEFAULT_WORKSPACE (respects
    HERMES_WEBUI_STATE_DIR for test isolation). Session creation/update and
    workspace-list mutations must stay within that root so callers cannot repoint
    a session to arbitrary filesystem locations outside the intended sandbox.

    Note: _profile_default_workspace() reads the agent's terminal.cwd which may
    differ from the WebUI's configured workspace root — always use DEFAULT_WORKSPACE
    here to stay consistent with how new_session() seeds the initial workspace.
    """
    root = Path(_BOOT_DEFAULT_WORKSPACE).expanduser().resolve()
    candidate = root if path in (None, "") else Path(path).expanduser().resolve()
    if not candidate.exists():
        raise ValueError(f"Path does not exist: {candidate}")
    if not candidate.is_dir():
        raise ValueError(f"Path is not a directory: {candidate}")
    try:
        candidate.relative_to(root)
    except ValueError:
        raise ValueError(f"Path is outside the trusted workspace root: {candidate}")
    return candidate

Source: GitHub Commit

Detection Methods for CVE-2026-6829

Indicators of Compromise

Unusual API requests to /api/session/new, /api/session/update, /api/chat/start, or /api/workspaces/add containing absolute filesystem paths or path traversal sequences (../)
Session workspace values pointing to system directories such as /etc, /root, /home, or application configuration directories
File access logs showing reads or writes to sensitive files outside the intended workspace directory
Anomalous authenticated user activity patterns targeting workspace-related endpoints

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns in workspace-related API parameters
Monitor application logs for workspace path assignments that reference directories outside the expected workspace root
Deploy endpoint detection to identify file access operations by the hermes-webui process to sensitive system directories
Review audit logs for authenticated sessions making rapid changes to workspace configurations

Monitoring Recommendations

Enable verbose logging for all workspace-related API endpoints to capture full request parameters
Configure alerts for any workspace path that resolves outside the application's designated workspace root directory
Monitor file integrity of sensitive system files and directories that could be targeted via this vulnerability
Implement runtime application self-protection (RASP) to detect and block path traversal attempts

How to Mitigate CVE-2026-6829

Immediate Actions Required

Upgrade hermes-webui to version v0.50.34 or later immediately
Review application logs for any evidence of exploitation attempts targeting workspace manipulation endpoints
Audit current session workspaces to identify any pointing to directories outside the intended workspace root
Restrict network access to the hermes-webui application to trusted users and networks until patching is complete

Patch Information

For detailed information about the security fix, refer to:

Workarounds

If immediate patching is not possible, implement network-level access controls to restrict who can access the hermes-webui application
Configure a reverse proxy with request filtering to block workspace path parameters containing path traversal sequences or absolute paths
Run the hermes-webui process with minimal filesystem permissions to limit the impact of potential exploitation
Use container isolation or chroot environments to restrict the application's filesystem view

bash

# Example: Running hermes-webui with restricted filesystem access using Docker
docker run --read-only \
  --tmpfs /tmp \
  -v /app/workspace:/workspace:rw \
  -e HERMES_WEBUI_STATE_DIR=/workspace \
  hermes-webui:v0.50.34

CVE-2026-6829: Hermes WebUI Path Traversal Vulnerability

CVE-2026-6829 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-6829

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-6829

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-6829

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-6829: Hermes WebUI Path Traversal Vulnerability

CVE-2026-6829 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-6829

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-6829

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-6829

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform