CVE-2026-6830

LOW SEVERITY

CVSS Score & Metrics

Base Score

3.3 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.

Vulnerability Details

Published Date

April 21, 2026

Last Modified

April 22, 2026

CWE ID

CWE-459

Source

NVD

External References

https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0
https://github.com/nesquena/hermes-webui/pull/351
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.12
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132
https://www.vulncheck.com/advisories/nesquena-hermes-webui-environment-variable-credential-leakage-via-profile-switch

CVE-2026-6830

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment