Hi @bayendor,
I'm an independent security researcher. I found two privilege escalation vulnerabilities in hermes-control-interface that allow a viewer-role user to perform admin-only actions.
I sent you a DM on X (@bayendor) on 2026-05-25 but haven't received a response, so I'm opening this issue to make sure the report reaches you.
Summary (no full PoC — coordinated disclosure)
| # |
Finding |
CVSS 3.1 |
| 01 |
WebSocket Terminal RBAC Bypass |
9.9 Critical |
| 02 |
File Write Missing Permission Check |
7.5 High |
FINDING-01 — WebSocket RBAC Bypass (CVSS 9.9)
src/server.js line ~5083 processes terminal-input messages from any authenticated user without checking the terminal permission. The REST equivalent (POST /api/terminal/exec) correctly enforces
requirePerm('terminal.exec'), but the WebSocket path was missed.
Impact: a viewer account gets a full OS shell. The terminal session is also a shared singleton — a viewer can inject commands into an active admin session.
FINDING-02 — File Write Missing Permission Check (CVSS 7.5)
POST /api/file at line ~2792 applies requireCsrf but is missing requirePerm('files.write'). A viewer (who has files.read) can overwrite files within the explorer root using a valid CSRF token (always available via GET /api/auth/me).
What I'm asking
Please enable GitHub Security Advisories (Settings → Security → Advisories) so I can send the full report with PoCs privately, or reply with a contact email.
I'm following a 90-day coordinated disclosure window from 2026-05-25.
Reporter: Mateus Gama — mateus.ambuzeirogama@gmail.com
Hi @bayendor,
I'm an independent security researcher. I found two privilege escalation vulnerabilities in hermes-control-interface that allow a viewer-role user to perform admin-only actions.
I sent you a DM on X (@bayendor) on 2026-05-25 but haven't received a response, so I'm opening this issue to make sure the report reaches you.
Summary (no full PoC — coordinated disclosure)
FINDING-01 — WebSocket RBAC Bypass (CVSS 9.9)
src/server.jsline ~5083 processesterminal-inputmessages from any authenticated user without checking theterminalpermission. The REST equivalent (POST /api/terminal/exec) correctly enforcesrequirePerm('terminal.exec'), but the WebSocket path was missed.Impact: a viewer account gets a full OS shell. The terminal session is also a shared singleton — a viewer can inject commands into an active admin session.
FINDING-02 — File Write Missing Permission Check (CVSS 7.5)
POST /api/fileat line ~2792 appliesrequireCsrfbut is missingrequirePerm('files.write'). A viewer (who hasfiles.read) can overwrite files within the explorer root using a valid CSRF token (always available viaGET /api/auth/me).What I'm asking
Please enable GitHub Security Advisories (
Settings → Security → Advisories) so I can send the full report with PoCs privately, or reply with a contact email.I'm following a 90-day coordinated disclosure window from 2026-05-25.
Reporter: Mateus Gama — mateus.ambuzeirogama@gmail.com