CVE-2026-49958 MEDIUM

CVE-2026-49958: Hermes WebUI < 0.51.303 TOCTOU Race Condition via git_discard

Vendor Nesquena
Product hermes-webui
Weakness CWE-367
Published June 9, 2026
Last update June 9, 2026

CVSS base score

4.3/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated