Skip to main content

Hermes WebUI CVE-2026-55205

| EUVDEUVD-2026-37904 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-18 VulnCheck GHSA-hq7f-wv7c-w9mp
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network endpoint with no complexity; unbounded thread and heap exhaustion from sustained flooding warrants A:H over A:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 17:09 vuln.today
Analysis Generated
Jun 18, 2026 - 17:09 vuln.today

DescriptionCVE.org

Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.

AnalysisAI

Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint that accumulates unbounded in-memory OAuth flow state and daemon polling threads with each incoming request, enabling remote denial of service without authentication. The root cause - confirmed by vendor release notes and fix commit ce272d9 - is the absence of any deduplication or serialization check before allocating a new flow entry and spawning a worker thread per request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-accessible Hermes WebUI instance
Delivery
Send concurrent unauthenticated POST /api/onboarding/oauth/start requests
Exploit
Server allocates new flow state and daemon thread per request
Execution
Heap and thread pool resources exhausted
Impact
Hermes WebUI service becomes unavailable to legitimate users

Vulnerability AssessmentAI

Exploitation The POST /api/onboarding/oauth/start endpoint must be reachable over the network - this is its default exposure in Hermes WebUI before 0.51.468, as the endpoint is explicitly unauthenticated (PR:N per the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, score 6.9) characterizes this as a moderate-severity network-accessible unauthenticated DoS with low availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker targeting a publicly accessible Hermes WebUI deployment sends a high-concurrency flood of POST requests to /api/onboarding/oauth/start - achievable with common HTTP benchmarking tools - causing the server to allocate a new in-memory flow object and spawn a daemon polling thread for each request. As heap and thread pool resources deplete, the Hermes WebUI process becomes unresponsive to legitimate users, and simultaneous outbound device-code calls to configured OAuth providers may trigger upstream rate limiting, compounding the denial-of-service effect. …
Remediation Upgrade Hermes WebUI to version 0.51.468 or later, which resolves the issue by implementing single-flight serialization per (provider, hermes_home) pair under an atomic flows lock (fix commit: https://github.com/nesquena/hermes-webui/commit/ce272d9cd5f8e5a4521278f56eb5388010901646, release: https://github.com/nesquena/hermes-webui/releases/tag/v0.51.468). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-58123 CRITICAL
9.3 Jul 09

Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell

CVE-2026-58122 CRITICAL
9.3 Jul 09

Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t

CVE-2026-55196 CRITICAL
9.1 Jun 17

Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass

CVE-2026-49973 CRITICAL
9.2 Jun 11

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin

CVE-2026-53871 HIGH
8.6 Jun 17

Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files,

CVE-2026-6832 HIGH
7.2 Apr 21

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic

CVE-2026-11322 HIGH
7.1 Jun 04

Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files ou

CVE-2026-49956 HIGH
7.1 Jun 09

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran

CVE-2026-55198 HIGH
7.1 Jun 17

Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra

CVE-2026-55197 HIGH
7.1 Jun 17

Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans

CVE-2026-49955 MEDIUM
6.9 Jun 09

Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availabi

CVE-2026-58174 MEDIUM
6.0 Jun 30

Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user oper

Share

CVE-2026-55205 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy