CVE-2026-6830 Overview
CVE-2026-6830 is an environment variable leakage vulnerability in nesquena hermes-webui where profile switching does not clear environment variables from the previously active profile before loading the next profile. This flaw allows attackers or users to exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.
Critical Impact
Sensitive credentials including provider API keys can leak across profile boundaries, potentially allowing unauthorized access to external services and breaking security isolation guarantees that users rely on when managing multiple profiles.
Affected Products
- nesquena hermes-webui versions prior to v0.50.12
- nesquena hermes-webui versions prior to v0.50.132
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-6830 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-6830
Vulnerability Analysis
This vulnerability stems from improper cleanup of incomplete resources (CWE-459) within the hermes-webui profile management system. When users switch between profiles in the application, the system fails to properly isolate environment variables between profile contexts. The dotenv loading mechanism operates additively, meaning environment variables set by one profile persist in memory even after switching to a different profile.
The core issue lies in how the application manages the os.environ dictionary during profile transitions. When a user configures API keys for providers in one profile, those keys are written directly to os.environ. However, when switching to a different profile, these environment variables are not cleared, allowing the subsequent profile to inadvertently inherit sensitive credentials from the previous session.
This breaks the fundamental security assumption that profiles operate in isolated contexts. Users who configure separate profiles for different purposes (e.g., development vs. production, or different client environments) expect that credentials from one profile cannot be accessed from another.
Root Cause
The root cause is the direct manipulation of os.environ when saving API keys during profile configuration. The vulnerable code in api/onboarding.py wrote provider API keys directly to the process environment without any mechanism to track or remove them during profile switches. Additionally, the profile management module in api/profiles.py lacked any tracking of which environment keys were loaded by the current profile.
Attack Vector
The attack requires local access to the system running hermes-webui. An attacker with access to the application can:
- Create or access a profile that has been configured with sensitive API keys
- Switch to a different profile (or their own profile)
- Access the leaked environment variables containing credentials from the previous profile context
- Use these credentials to access external provider APIs or services
This attack is particularly concerning in shared computing environments or where multiple users access the same hermes-webui instance.
# Vulnerable code pattern (api/onboarding.py) - before fix
# Source: https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0
if api_key:
_write_env_file(env_path, {provider_meta["env_var"]: api_key})
- # Belt-and-braces: set directly on os.environ so the value is visible to
- # any code in the same process that reads it before the next request cycle.
- os.environ[provider_meta["env_var"]] = api_key
# Reload the hermes_cli provider/config cache so the next streaming call
# picks up the new key without requiring a server restart.
# Fix implementation (api/profiles.py) - tracking loaded environment keys
# Source: https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0
# ── Module state ────────────────────────────────────────────────────────────
_active_profile = 'default'
_profile_lock = threading.Lock()
+_loaded_profile_env_keys: set[str] = set()
def _resolve_base_hermes_home() -> Path:
"""Return the BASE ~/.hermes directory — the root that contains profiles/.
Detection Methods for CVE-2026-6830
Indicators of Compromise
- Unexpected access to external provider APIs using credentials from a different user or profile context
- Audit logs showing API calls with credentials that should belong to a different profile
- Environment variable inspection revealing credentials that persist after profile switching
Detection Strategies
- Monitor for API authentication events that occur using credentials from profiles that are not currently active
- Implement logging around profile switch operations to track environment state changes
- Deploy runtime monitoring to detect unexpected environment variable persistence across profile boundaries
Monitoring Recommendations
- Enable verbose logging for profile management operations in hermes-webui
- Monitor external provider API usage patterns for anomalies indicating credential leakage
- Implement alerts for environment variable access patterns that span multiple profile contexts
- Review application logs for profile switching events correlated with unexpected API activity
How to Mitigate CVE-2026-6830
Immediate Actions Required
- Update hermes-webui to version v0.50.12 or v0.50.132 or later immediately
- Rotate any API keys that may have been exposed through profile switching
- Review audit logs to identify potential unauthorized access to provider APIs
- Restart hermes-webui instances after updating to ensure clean environment state
Patch Information
The vulnerability has been addressed in the official patch available at the GitHub commit 88dc8bb. The fix removes the direct os.environ manipulation in the onboarding flow and introduces a tracking mechanism (_loaded_profile_env_keys) in the profiles module to properly manage environment variable cleanup during profile switches.
Fixed versions are available:
For additional details, refer to the VulnCheck Security Advisory and GitHub Pull Request #351.
Workarounds
- Restart the hermes-webui application after each profile switch to clear the process environment
- Avoid using multiple profiles with sensitive credentials on shared systems until patched
- Implement separate hermes-webui instances for different security contexts requiring credential isolation
- Manually clear sensitive environment variables before switching profiles if immediate patching is not possible
# Configuration example - Restart hermes-webui to clear environment state
# Stop the current hermes-webui process
pkill -f hermes-webui
# Start with fresh environment
hermes-webui start
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
