CVE-2026-6832

CVE-2026-6832 is an arbitrary file deletion vulnerability in Hermes WebUI, affecting the /api/session/delete endpoint. The flaw arises from insufficient validation of the session_id parameter, which allows authenticated attackers to supply absolute paths or path traversal payloads. This enables deletion of files outside the intended SESSION_DIR boundary, including writable JSON files on the host system. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to integrity and availability impacts.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By crafting malicious session_id values, they bypass directory restrictions to delete arbitrary writable files, potentially disrupting application functionality or causing denial of service on the host system. No confidentiality impact is present, but the ability to target critical JSON configuration or data files amplifies the risk in deployed Hermes WebUI instances.

Mitigation is available through patches in the Hermes WebUI GitHub repository, including commit 3cc5839bf303fa6758bfdac538507407a2929655, pull requests #409 and #412, and releases v0.50.132 and v0.50.32. Security practitioners should update to a patched version and review access controls for the /api/session/delete endpoint to restrict authenticated users.