CVE-2026-6832

HighPublic PoC

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0010 27.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6832 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to File Deletion (T1070.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the session_id parameter to reject path traversal or absolute paths, preventing arbitrary file deletion outside the SESSION_DIR.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to restrict file deletion operations to the intended session directory, blocking bypasses of directory boundaries.

AU-12 Audit Record Generation partial match

detect

Generates audit records for file access and deletion events, enabling identification of unauthorized deletions targeting writable JSON files.

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Arbitrary file deletion via path traversal in a public-facing web API endpoint (authenticated, low privileges) directly enables file deletion (T1070.004) and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated…

session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.

Deeper analysisAI

CVE-2026-6832 is an arbitrary file deletion vulnerability in Hermes WebUI, affecting the /api/session/delete endpoint. The flaw arises from insufficient validation of the session_id parameter, which allows authenticated attackers to supply absolute paths or path traversal payloads. This enables deletion of files outside the intended SESSION_DIR boundary, including writable JSON files on the host system. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to integrity and availability impacts.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By crafting malicious session_id values, they bypass directory restrictions to delete arbitrary writable files, potentially disrupting application functionality or causing denial of service on the host system. No confidentiality impact is present, but the ability to target critical JSON configuration or data files amplifies the risk in deployed Hermes WebUI instances.

Mitigation is available through patches in the Hermes WebUI GitHub repository, including commit 3cc5839bf303fa6758bfdac538507407a2929655, pull requests #409 and #412, and releases v0.50.132 and v0.50.32. Security practitioners should update to a patched version and review access controls for the /api/session/delete endpoint to restrict authenticated users.

Details

CWE(s): CWE-22

CVEs Like This One

CVE-2026-34728Shared CWE-22

CVE-2025-14850Shared CWE-22

CVE-2025-4828Shared CWE-22

CVE-2026-3666Shared CWE-22

CVE-2025-14344Shared CWE-22

CVE-2025-6439Shared CWE-22

CVE-2025-2742Shared CWE-22

CVE-2026-0704Shared CWE-22

CVE-2025-27786Shared CWE-22

CVE-2026-4758Shared CWE-22

References

https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655
disclosure@vulncheck.com
https://github.com/nesquena/hermes-webui/pull/409
disclosure@vulncheck.com
https://github.com/nesquena/hermes-webui/pull/412
disclosure@vulncheck.com
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132
disclosure@vulncheck.com
https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id
disclosure@vulncheck.com