CVE-2026-6832 - Hermes WebUI - Broken Access Control

Overview

Hermes WebUI contains an arbitrary file deletion vulnerability caused by unvalidated session_id parameter in /api/session/delete endpoint, letting authenticated attackers delete files outside the session directory.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can delete arbitrary files on the host system, potentially disrupting service or deleting critical data.

Mitigation

Update to the latest version with proper session_id validation and path sanitization.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 21, 2026

🟠 CVE-2026-6832 - High (8.1) Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the ses... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6832/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 21, 2026

🟠 CVE-2026-6832 - High (8.1) Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the ses... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6832/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-6832 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score