PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6832 nesquena CVE debrief

CVE-2026-6832 is a HIGH severity vulnerability in Hermes WebUI, with a CVSS score of 7.2. The vulnerability exists in the /api/session/delete endpoint, where authenticated attackers can delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. This is possible due to unvalidated session identifiers that allow attackers to construct paths bypassing the SESSION_DIR boundary and delete writable JSON files on the host system.

Vendor
nesquena
Product
hermes-webui
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-06-04
Advisory published
2026-04-21
Advisory updated
2026-06-04

Who should care

Users of Hermes WebUI, particularly those with authenticated access, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the lack of validation in the session_id parameter of the /api/session/delete endpoint. This allows attackers to delete arbitrary files on the system, potentially leading to data loss or system compromise.

Defensive priority

HIGH

Recommended defensive actions

  • Apply patches or updates provided by the vendor to fix the vulnerability.
  • Restrict access to the /api/session/delete endpoint to only trusted users.
  • Monitor system logs for suspicious file deletion activity.

Evidence notes

Evidence for this vulnerability comes from the NVD and CVE.org.

Official resources

CVE-2026-6832 was published on 2026-04-21T22:16:21.040Z and modified on 2026-06-04T15:11:50.393Z.