CVE-2026-49959: Hermes WebUI RCE via Git Config Injection
Hermes WebUI versions before 0.51.311 contain a vulnerability that allows authenticated users to run arbitrary commands on the server. An attacker with valid login credentials can inject malicious configuration into a Git repository's settings file (.git/config) that gets executed when the application performs Git operations like status checks or fetches. This is particularly dangerous because Git has multiple mechanisms for running external commands—including file monitors, credential handlers, and SSH wrappers—all of which can be weaponized through configuration poisoning.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-14
NVD description (verbatim)
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in api/workspace_git.py where Git subprocess invocations lack sufficient input validation or sandboxing of Git configuration parameters. An authenticated attacker can craft a malicious .git/config file in a workspace repository that exploits Git's extensible configuration system. Attack vectors include core.fsmonitor (executed during git status), protocol.ext.allow with ext:: remote URLs (during git fetch), credential.helper, core.askPass, core.gitProxy, or inherited environment variables like GIT_SSH_COMMAND. When the application invokes Git operations without neutralizing these configuration sources, arbitrary code execution on the host is possible. The vulnerability requires authentication but does not require user interaction on the target system.
Business impact
An authenticated attacker can achieve complete code execution on servers running Hermes WebUI, enabling data theft, malware deployment, lateral movement within the network, or service disruption. Since this requires valid credentials, the risk depends on your access control posture—if shared workspace accounts or weak authentication exists, the barrier to exploitation drops significantly. Organizations using Hermes WebUI for collaborative development face particularly high risk because workspace repositories are typically accessible to multiple team members, increasing the chance of either accidental or intentional exploitation.
Affected systems
Hermes WebUI versions before 0.51.311 are vulnerable. The exact scope of affected products is not specified in vendor advisories at this time; verify your deployed version against the official Hermes WebUI release notes and patch your infrastructure accordingly. Any instance where Hermes WebUI manages or executes Git operations on untrusted or semi-trusted repositories is at risk.
Exploitability
Exploitation requires valid authentication credentials, placing this in the 'authenticated attacker' category rather than fully unauthenticated. However, the attack is straightforward: an authenticated user simply commits a malicious .git/config file to a workspace repository, then triggers a Git operation (status, fetch, pull) through the WebUI. No complex bypass techniques are required once credentials are obtained. The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of exploitation means monitoring for in-the-wild attacks is warranted.
Remediation
Upgrade Hermes WebUI to version 0.51.311 or later immediately. This is a mandatory update with no workarounds. Organizations unable to patch immediately should restrict access to Hermes WebUI to trusted users only, disable workspace git operations if feasible, and monitor for suspicious activity. Implement strong authentication (multi-factor authentication) and enforce principle of least privilege for workspace access.
Patch guidance
Apply the update to Hermes WebUI 0.51.311 or verify against the vendor advisory for any subsequent patch versions. After patching, validate that Git operations (status, fetch, pull) function normally within workspace repositories. Test with both public and private repositories to ensure the fix does not introduce regressions. Rolling updates are recommended to minimize downtime in production environments.
Detection guidance
Monitor Git subprocess execution logs and system calls for suspicious parameters in .git/config files, particularly entries involving core.fsmonitor, core.askPass, core.gitProxy, credential.helper, or protocol.ext settings. Look for GIT_SSH_COMMAND environment variable injection in process execution logs. Audit workspace repositories for recent commits that add or modify .git/config with non-standard settings. Network-level detection is limited since the vulnerability exploits legitimate Git operations; focus on behavioral analysis of child processes spawned by the Hermes WebUI application.
Why prioritize this
This vulnerability merits immediate prioritization because it enables unauthenticated-level impact (full RCE) despite requiring credentials, affects a collaboration platform likely integral to development workflows, and has straightforward exploitation mechanics. The absence from the KEV catalog does not indicate low risk—it reflects only that CISA has not yet received reports of active exploitation. Organizations should treat this as critical based on the CVSS 8.8 score and the high likelihood of exploitation attempts once the vulnerability becomes widely known.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: Attack Vector (Network), Attack Complexity (Low), Privileges Required (Low), User Interaction (None), and impact on Confidentiality, Integrity, and Availability (all High). This combination produces a HIGH severity rating. The primary mitigating factor is the requirement for valid authentication; however, in environments with shared accounts, weak passwords, or lateral movement post-compromise, this becomes a secondary concern. The real-world impact is likely to exceed the base score if supply-chain or insider-threat scenarios are considered.
Frequently asked questions
Can this vulnerability be exploited without valid Hermes WebUI credentials?
No. The vulnerability requires authentication to access a workspace and commit the malicious .git/config file. However, stolen credentials, shared accounts, or post-compromise lateral movement can satisfy this requirement.
What is the difference between Hermes WebUI and other Git hosting platforms regarding this vulnerability?
Hermes WebUI's vulnerability stems from how it invokes Git subprocess operations without proper isolation of configuration sources. Standard Git hosting platforms (GitHub, GitLab) isolate user input from server-side Git operations more strictly. The risk here is specific to how Hermes WebUI executes Git commands on behalf of authenticated users.
If we block certain Git config parameters in our firewall, can we mitigate this until we patch?
Firewall-level mitigations are ineffective because the exploit operates through Git configuration files inside repositories, not network traffic. You must restrict workspace access, enforce MFA, and apply the patch. Disabling workspace Git operations entirely (if your workflow permits) is the only reliable interim control.
How do I verify that a workspace repository has been compromised?
Examine the .git/config file directly for unexpected entries in core.fsmonitor, credential.helper, core.gitProxy, protocol.ext, or GIT_* environment variable references. Audit Git commit history for recent changes to .git/config. Monitor process execution logs for child processes spawned by Hermes WebUI with suspicious arguments.
This analysis is provided for educational and defensive security purposes. SEC.co makes no warranties regarding the accuracy or completeness of this information. Vulnerability details, affected versions, and patch availability are subject to change; consult official vendor advisories before making patch decisions. Do not attempt to exploit this or any vulnerability outside of authorized testing environments. Organizations should verify patch applicability and compatibility with their specific deployments before updating production systems. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability