{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6830", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-21T21:22:31.635Z", "datePublished": "2026-04-21T21:33:28.985Z", "dateUpdated": "2026-04-21T21:33:36.356Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-21T21:33:36.356Z"}, "title": "Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "type": "CWE"}, {"lang": "en", "cweId": "CWE-459", "description": "CWE-459: Incomplete Cleanup", "type": "CWE"}]}], "affected": [{"vendor": "nesquena", "product": "hermes-webui", "versions": [{"status": "affected", "version": "0", "lessThan": "PR #351", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.</p>"}]}], "references": [{"url": "https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://github.com/nesquena/hermes-webui/pull/351", "name": "Pull Request"}, {"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132", "name": "Release Notes"}, {"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.12", "name": "Release Notes", "tags": ["third-party-advisory"]}, {"url": "https://www.vulncheck.com/advisories/nesquena-hermes-webui-environment-variable-credential-leakage-via-profile-switch", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Chia Min Jun Lennon", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles."}], "id": "CVE-2026-6830", "lastModified": "2026-04-21T22:16:20.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-21T22:16:20.863", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/pull/351"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.12"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/nesquena-hermes-webui-environment-variable-credential-leakage-via-profile-switch"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-459"}, {"lang": "en", "value": "CWE-668"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:20:04.924375+00:00", "value": {"mitigation_remediation": ["Upgrade Hermes\u2011WebUI to v0.50.12 or later, which clears environment variables on profile switch.", "If immediate upgrade is not possible, isolate each profile by ensuring it uses a dedicated .env file and restrict file permissions so that other profiles cannot read them.", "Monitor logs and user activity for unexpected usage of provider API keys that might indicate credential leakage across profiles."], "summary": {"action": "Apply Patch", "impact": "Credential Leakage"}, "threat_synthesis": {"affected_systems": "nesquena hermes\u2011webui. Versions prior to v0.50.12 (including the release tagged v0.50.11 and earlier) are vulnerable. The patch was applied in releases v0.50.12 and later, such as v0.50.132.", "description_and_impact": "The vulnerability allows an attacker or a legitimate user to access sensitive provider API keys that were set in a previously active profile. The Hermes-WebUI environment variable loader does not clear variables from the previous profile before loading the next one, so switching profiles preserves environment state. This additive dotenv reload behavior enables cross\u2011profile leakage of secrets, effectively breaking the security isolation that users expect between separate profile contexts.", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate severity. EPSS is not available, so current exploitation probability is unknown, but the lack of a KEV listing suggests no known widespread exploitation. The attack can be performed by any user who can switch profiles within the same Hermes\u2011WebUI instance; it does not require remote code execution or elevated privileges, only the ability to load a malicious profile. The compromised credentials could then be used to access downstream services or sensitive data."}}}}, "created": "2026-04-22T04:45:09.345271+00:00", "updated": "2026-04-22T06:30:10.670124+00:00", "vendors": []}