CVE-2026-22677 nesquena CVE debrief

Who should care

Organizations running Hermes WebUI prior to version 0.51.44, particularly those with multi-user deployments where session sharing or import features are enabled. Security teams should prioritize patching if the WebUI process has access to sensitive configuration files, credentials, or other confidential data.

Technical summary

The vulnerability exists in the session import endpoint of Hermes WebUI. The workspace field in imported session data is not properly validated against blocked filesystem roots. An authenticated attacker can craft a session file with a malicious workspace value that bypasses these restrictions. After successful import, the attacker can leverage relative path traversal sequences in session file API calls to read arbitrary files on the underlying system with the permissions of the WebUI process. The attack requires authentication but no user interaction, with low attack complexity.

Defensive priority

medium

Recommended defensive actions

• Upgrade Hermes WebUI to version 0.51.44 or later to remediate the path traversal vulnerability
• Review and restrict session import functionality to trusted administrative users until patching is complete
• Implement additional input validation on workspace field values in session import endpoints to prevent filesystem root bypass
• Monitor for suspicious session import activity with unusual workspace values or subsequent file API access patterns
• Audit file system permissions to ensure the WebUI process has minimal necessary access to sensitive files

Evidence notes

Vulnerability description sourced from NVD record with CVSS 4.0 scoring. Fix confirmed via GitHub release tag v0.51.44 and associated commit f00cb74f776f22f02f5eb6b39dfb389f87cc7fd3. Advisory published by Vulncheck. Vendor identified as Hermes WebUI project (nesquena/hermes-webui on GitHub).

Official resources