CVE-2026-49958
Gravedad CVSS v4.0:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
09/06/2026
Descripción
*** Pendiente de traducción *** Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.
Impacto
Puntuación base 4.0
4.30
Gravedad 4.0
MEDIA
Puntuación base 3.x
5.00
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/nesquena/hermes-webui/commit/4580f584964d640b95c4ffc9245a21ab926bec73
- https://github.com/nesquena/hermes-webui/pull/3702
- https://github.com/nesquena/hermes-webui/pull/3756
- https://github.com/nesquena/hermes-webui/releases/tag/v0.51.303
- https://www.vulncheck.com/advisories/hermes-webui-toctou-race-condition-via-git-discard
- https://github.com/nesquena/hermes-webui/pull/3702



