Hermes WebUI
CVE-2026-53871
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable web UI, trivial cookie edit (AC:L), requires a valid account so PR:L; cross-profile read/write yields C:H/I:H but no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.
AnalysisAI
Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files, and resources belonging to other profiles by forging the hermes_profile cookie. The flaw lives in get_profile_cookie(), which trusted attacker-supplied profile names without binding them to the authenticated session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess valid credentials for the target Hermes WebUI instance (PR:L) and must reach it over the network (AV:N) - typical for a web management UI. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-high but tempered by the authentication requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker logs into Hermes WebUI with any valid account, opens browser developer tools, and edits the hermes_profile cookie to the name of a higher-value profile (for example, an admin or finance profile) belonging to another user. On the next request, get_profile_cookie() accepts the forged value, the server scopes authorization to the attacker-chosen profile, and the attacker reads files, sessions, and resources that should have been isolated. |
| Remediation | Vendor-released patch: upgrade to Hermes WebUI 0.51.368 or later, which binds the active-profile cookie to the authenticated session (PRs https://github.com/nesquena/hermes-webui/pull/4023 and https://github.com/nesquena/hermes-webui/pull/4036, commit https://github.com/nesquena/hermes-webui/commit/9e96f5f6adf93b6d1e27ebddfb4d2833ca06ff3b). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Hermes WebUI deployments and confirm current version status; check access logs for suspicious cross-profile activity patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hermes Webui
View allUnauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t
Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass
Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic
Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files ou
Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran
Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra
Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans
Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availabi
Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint
Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user oper
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today