Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch

Advisories

Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch

severity: low
date: 4/21/2026
Affecting: hermes-webui < PR #351, fixed in commit 88dc8bb
CVE: CVE-2026-6830
CWE: CWE-668: Exposure of Resource to Wrong Sphere
CWE-459: Incomplete Cleanup
CVSS: 4.8
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References: Patch Commit
Pull Request
Release Notes
Release Notes
Credit: Chia Min Jun Lennon
Description: nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo