CVE-2026-58174 MEDIUM

CVE-2026-58174: Hermes WebUI < 0.51.521 - Cross-Profile Authorization Bypass via Unset Session Profile on Import

Vendor Nesquena
Product hermes-webui
Weakness CWE-732
Published June 30, 2026
Last update June 30, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as the default profile by the profile authorization check, a user on the default profile can export the imported session transcript and use its session identifier to read files from the named profile's workspace, defeating the application's profile isolation.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
June 30, 2026 Record updated