CVE-2026-6832
Nesquena Hermes WebUI Arbitrary File Deletion via Unvalidated session_id
Description
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.
INFO
Published Date :
April 21, 2026, 10:16 p.m.
Last Modified :
June 4, 2026, 3:11 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | HIGH | MITRE-CVE | ||||
| CVSS 4.0 | HIGH | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Validate and sanitize all user-supplied session identifiers.
- Ensure session IDs do not allow directory traversal.
- Restrict file operations to the intended directory.
- Implement robust input validation for API endpoints.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-6832.
| URL | Resource |
|---|---|
| https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655 | Patch |
| https://github.com/nesquena/hermes-webui/pull/409 | Issue Tracking Patch Exploit Vendor Advisory |
| https://github.com/nesquena/hermes-webui/pull/412 | Issue Tracking Patch |
| https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132 | Product Release Notes |
| https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32 | Product Release Notes |
| https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id | Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-6832 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-6832
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-6832 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-6832 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 04, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:get-hermes:hermes_web_ui:*:*:*:*:*:*:*:* versions up to (excluding) 0.50.32 Added Reference Type VulnCheck: https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655 Types: Patch Added Reference Type VulnCheck: https://github.com/nesquena/hermes-webui/pull/409 Types: Exploit, Issue Tracking, Patch, Vendor Advisory Added Reference Type VulnCheck: https://github.com/nesquena/hermes-webui/pull/412 Types: Issue Tracking, Patch Added Reference Type VulnCheck: https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132 Types: Product, Release Notes Added Reference Type VulnCheck: https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32 Types: Product, Release Notes Added Reference Type VulnCheck: https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id Types: Third Party Advisory -
New CVE Received by [email protected]
Apr. 21, 2026
Action Type Old Value New Value Added Description Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Added CWE CWE-22 Added Reference https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655 Added Reference https://github.com/nesquena/hermes-webui/pull/409 Added Reference https://github.com/nesquena/hermes-webui/pull/412 Added Reference https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132 Added Reference https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32 Added Reference https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id