GHSA-8j74-6fjm-pjr7MediumCVSS 6.5
Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active...
🔗 CVE IDs covered (1)
📋 Description
Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as the default profile by the profile authorization check, a user on the default profile can export the imported session transcript and use its session identifier to read files from the named profile's workspace, defeating the application's profile isolation.
🔗 References (7)
- https://nvd.nist.gov/vuln/detail/CVE-2026-58174
- https://github.com/nesquena/hermes-webui/pull/4489
- https://github.com/nesquena/hermes-webui/pull/4506
- https://github.com/nesquena/hermes-webui/commit/3d5ef4758e920ba6888d49aaa4341de214693496
- https://github.com/nesquena/hermes-webui/releases/tag/v0.51.521
- https://www.vulncheck.com/advisories/hermes-webui-cross-profile-authorization-bypass-via-unset-session-profile-on-import
- https://github.com/advisories/GHSA-8j74-6fjm-pjr7