Vulnerability Description
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d
- https://github.com/nesquena/hermes-webui/pull/351
- https://github.com/nesquena/hermes-webui/releases/tag/v0.50.12
- https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132
- https://www.vulncheck.com/advisories/nesquena-hermes-webui-environment-variable-
FAQ
What is CVE-2026-6830?
CVE-2026-6830 is a vulnerability with a CVSS score of 3.3 (LOW). nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next pro...
How severe is CVE-2026-6830?
CVE-2026-6830 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6830?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.