Medium severity6.3NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-6829

Description

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.

Affected products

Nesquena/Hermes Webuireferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nesquena/hermes-webui/commit/2a7a5ddfaf39e3b0094b7ac37e9f1dbcf40a3918nvd
github.com/nesquena/hermes-webui/pull/416nvd
github.com/nesquena/hermes-webui/releases/tag/v0.50.34nvd
www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-workspace-directory-accessnvd

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000