MEDIUM 5.0

CVE-2026-49958: Hermes WebUI TOCTOU Race Condition Arbitrary File Deletion

Hermes WebUI versions prior to 0.51.303 contain a race condition vulnerability in its file deletion functionality. An attacker with local access and user privileges can exploit a timing gap between when the application validates a file path and when it actually deletes it. By swapping a directory component with a symbolic link at just the right moment, an attacker can trick the application into deleting files outside the intended workspace—potentially removing important system or application files. This requires precise timing and user interaction but could lead to significant data loss or system disruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H
Weaknesses (CWE)
CWE-367
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-07-14

NVD description (verbatim)

Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the git_discard function within api/workspace_git.py. The flaw is a classic time-of-check time-of-use (TOCTOU) race condition: the code validates a file path using safe_resolve_ws() to ensure it remains within the configured workspace boundary, but an attacker can replace a path component with a symlink between this validation step and the actual deletion call (Path.unlink() or shutil.rmtree()). Because symbolic link resolution occurs at deletion time rather than validation time, the delete operation follows the symlink to an arbitrary location outside the workspace. This is a well-known class of vulnerability in file operations where validation and use are separated in time.

Business impact

Successful exploitation allows deletion of arbitrary files accessible to the Hermes WebUI process. If the process runs with elevated privileges or has broad file system access, an attacker could remove critical application files, configuration files, or user data, leading to denial of service, data loss, or system instability. Organizations using Hermes WebUI for collaborative development or workspace management face risk of disruption and potential recovery costs. The local attack vector and requirement for user interaction limit blast radius, but the integrity impact is serious.

Affected systems

Hermes WebUI versions before 0.51.303 are vulnerable. Organizations running this application should verify their installed version immediately. The vulnerability requires local system access and valid user credentials, so it is not exploitable via remote network attack. Shared development environments, CI/CD systems, or multi-tenant deployments running Hermes WebUI face elevated risk.

Exploitability

Exploitation requires local system access, valid user credentials, and the ability to interact with the Hermes WebUI interface to trigger the git_discard function. An attacker must also achieve precise timing to insert a symlink between validation and deletion—this is technically feasible but not trivial. The CVSS score of 5 (Medium) reflects the high bar for exploitation: local access requirement, high attack complexity, and user interaction needed. However, once conditions align, the attack is deterministic and difficult to detect in real time.

Remediation

Upgrade Hermes WebUI to version 0.51.303 or later. This version addresses the race condition by ensuring path validation and deletion occur atomically or by rechecking the resolved path immediately before deletion. Organizations unable to upgrade immediately should restrict local system access to trusted users only and monitor file system activity for unexpected deletion patterns. Review access controls for the Hermes WebUI process itself to minimize the scope of files it can reach.

Patch guidance

Apply the upgrade to Hermes WebUI version 0.51.303 or later as soon as feasible. Verify the patched version is installed in all environments where Hermes WebUI is deployed, including development machines, build servers, and shared systems. Test the patched version in a staging environment to confirm compatibility with your workflows before rolling out to production. Check vendor release notes to confirm that version 0.51.303 or later addresses CVE-2026-49958 specifically.

Detection guidance

Monitor file system access logs for unexpected symlink creation or unusual deletion patterns, particularly in directories outside the expected workspace boundary. Track process behavior from the Hermes WebUI application: look for sequences where a directory is validated, then rapidly replaced with a symlink, followed by a delete operation. Endpoint detection and response (EDR) tools can alert on suspicious symlink-to-delete chains. Audit logs from Hermes WebUI itself should be reviewed for git_discard function calls, especially any that fail or show unexpected path resolution. Intrusion detection signatures for TOCTOU attacks in file operations may also apply.

Why prioritize this

While this vulnerability carries a Medium CVSS score, it deserves prompt attention in environments where Hermes WebUI is widely deployed or where the process runs with elevated privileges. The race condition is exploitable by any local user with credentials, and successful exploitation results in arbitrary file deletion—a significant integrity and availability impact. Organizations should prioritize patching if Hermes WebUI manages critical workspaces or is deployed on systems with sensitive data. However, the local attack vector and user interaction requirement mean this is not an emergency-level priority for air-gapped or tightly controlled environments.

Risk score, explained

CVSS 3.1 score of 5.0 (Medium) reflects: local attack vector (AV:L), high attack complexity due to race condition timing (AC:H), low privileges required but user interaction required (PR:L/UI:R), no confidentiality impact (C:N), low integrity impact limited to files the process can reach (I:L), and high availability impact from potential data deletion (A:H). The score correctly penalizes the attack complexity and privilege requirements while recognizing the serious availability consequences.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access and valid user credentials on the machine running Hermes WebUI. It cannot be exploited over a network.

Does the attacker need special privileges?

The attacker needs local user credentials and the ability to interact with the Hermes WebUI interface. They do not need administrative privileges, but the scope of damage depends on the file system permissions of the Hermes WebUI process.

What should I do if I cannot upgrade immediately?

Restrict local system access to trusted users only. Monitor file system activity for unexpected symlink creation or deletion patterns. Review and minimize the file system permissions granted to the Hermes WebUI process. Plan an upgrade as soon as possible.

How can I verify whether my version is vulnerable?

Check your installed Hermes WebUI version number. Any version before 0.51.303 is vulnerable. Consult vendor documentation or your deployment logs to confirm your current version.

This analysis is based on the CVE record and vendor information available as of the publication date. Security researchers and affected organizations should verify all details against official vendor advisories and documentation. Patch availability, version numbers, and remediation steps should be confirmed with Hermes WebUI maintainers before taking action. This vulnerability intelligence does not constitute professional security advice; consult your security team or vendor for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).