top of page
perceptive_background_267k.jpg

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside t…

Published:

20 April 2026 at 22:00:00

Alert date:

21 April 2026 at 23:02:09

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

CVE-2026-6832 is an arbitrary file deletion vulnerability in Hermes WebUI's /api/session/delete endpoint. Authenticated attackers can exploit unvalidated session identifiers to delete files outside the intended session directory. The vulnerability allows path traversal attacks using absolute paths or directory traversal payloads in the session_id parameter. Attackers can bypass SESSION_DIR boundaries and delete writable JSON files on the host system. Multiple GitHub commits and releases address this security issue.

Technical details

Mitigation steps:

Affected products:

Hermes WebUI

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-6832
https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655
https://github.com/nesquena/hermes-webui/pull/409
https://github.com/nesquena/hermes-webui/pull/412
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32
https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page