CVE-2026-49957
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
Hermes WebUI before version 0.51.296 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks. Attackers can configure a remote terminal working directory to a system directory, enabling access to local system files.
Risk Assessment
This vulnerability may lead to unauthorized access to sensitive system files, posing a significant security risk to the organization.
Recommendation
It is recommended to update Hermes WebUI to version 0.51.296 or later to mitigate this vulnerability and review remote terminal configurations to restrict access to critical system directories.
Original NVD description (English source)
Hermes WebUI before version 0.51.296 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within _remote_terminal_workspace_candidate(). Attackers can configure a remote terminal working directory to a system directory such as /etc, causing the workspace resolution path to accept it as a trusted local workspace root before the _is_blocked_workspace_path() guard executes, enabling read access to local system files through workspace file-read helpers.

