Is CVE-2026-58174 being exploited?

No public exploit is currently tracked.

How severe is CVE-2026-58174?

CVE-2026-58174 has a CVSS v3 severity of MEDIUM (6.5).

Back

CVE-2026-58174

Description

Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as the default profile by the profile authorization check, a user on the default profile can export the imported session transcript and use its session identifier to read files from the named profile's workspace, defeating the application's profile isolation.