CVE-2026-6830
Received Received - Intake
Environment Variable Leakage in nesquena hermes-webui Enables Secret Exposure

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: VulnCheck

Description
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6830
EUVD
EUVD-2026-24515
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nesquena hermes-webui to 0.50.12 (exc)
nesquena hermes-webui 0.50.12
nesquena hermes-webui 0.50.132
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in nesquena hermes-webui allows environment variable leakage between profiles, exposing sensitive information such as provider API keys and other secrets from one profile context in another. This breaks expected security isolation between profiles.

Such leakage of sensitive credentials can lead to unauthorized access to protected data or systems, which may violate security and privacy requirements mandated by common standards and regulations like GDPR and HIPAA. These regulations require strict controls to prevent unauthorized disclosure of sensitive information.

Therefore, this vulnerability could negatively impact compliance by allowing cross-profile secret leakage, undermining confidentiality and potentially leading to data breaches or unauthorized data access.

Executive Summary

The vulnerability in nesquena hermes-webui involves environment variable leakage during profile switching. When a user switches from one profile to another, the environment variables from the previously active profile are not cleared before loading the new profile's environment variables. This means that sensitive information such as provider API keys and other secrets from one profile remain accessible in another profile's context, breaking the expected security isolation between profiles.

The root cause is that the system loads environment variables additively without removing those from the old profile, allowing secrets to persist across profiles.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive secrets such as API keys and credentials across different user profiles. An attacker or unauthorized user could exploit this flaw to gain access to environment variables from another profile, potentially compromising security by using those secrets in unintended contexts.

Because environment variables are not properly isolated, secrets meant to be confined to one profile can leak into another, increasing the risk of credential exposure and misuse.

Detection Guidance

This vulnerability involves environment variable leakage during profile switching in the Hermes WebUI application. Detection involves verifying whether environment variables from a previously active profile persist after switching to a new profile, which should not happen.

To detect this issue on your system, you can manually check the environment variables before and after switching profiles to see if variables from the old profile remain set.

  • Use commands to list environment variables related to profiles, for example, in a Unix-like shell:
  • 1. Before switching profiles, run: `printenv | grep <profile-specific-keyword>` to list environment variables related to the current profile.
  • 2. Switch to a different profile using the application's profile switch command or interface.
  • 3. After switching, run the same command again: `printenv | grep <profile-specific-keyword>`.

If environment variables from the previous profile are still present after switching, the vulnerability exists.

Automated detection could involve writing scripts or tests that programmatically switch profiles and verify environment variable isolation, similar to the regression tests described in the fix.

Mitigation Strategies

The primary mitigation is to update the Hermes WebUI application to a version that includes the fix for CVE-2026-6830.

The fix ensures that environment variables loaded from a profile's .env file are cleared before loading a new profile's environment variables, preventing leakage of sensitive secrets such as API keys.

  • Update to the version that includes the fix merged in pull request #351, or any release after April 13, 2026, which contains the patch.
  • If immediate update is not possible, manually clear environment variables related to profiles before switching profiles to avoid additive leakage.
  • Avoid sharing or exposing profile environment variables across user contexts until the fix is applied.

Additionally, review and audit environment variable handling in your deployment to ensure no sensitive secrets persist beyond their intended scope.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart