Hermes WebUI < 0.51.521 - Cross-Profile Authorization Bypass via Unset Session Profile on Import | Advisories

Advisories

Hermes WebUI < 0.51.521 - Cross-Profile Authorization Bypass via Unset Session Profile on Import

severity: medium
date: 6/30/2026
Affecting: Heremes WebUI < 0.51.521
CVE: CVE-2026-58174
CWE: CWE-732 Incorrect Permission Assignment for Critical Resource
CVSS: 6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Release Notes
Researcher PR
Maintainer PR
Fix Commit
Credit: Chia Min Jun Lennon
Description: Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as the default profile by the profile authorization check, a user on the default profile can export the imported session transcript and use its session identifier to read files from the named profile's workspace, defeating the application's profile isolation.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo