CVE-2026-6829 MEDIUM

CVE-2026-6829: nesquena hermes-webui Arbitrary Workspace Directory Access

Vendor Nesquena
Product hermes-webui
Weakness CWE-22 · Path traversal
Published April 21, 2026
Last update April 22, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated