Skip to main content

Hermes WebUI CVE-2026-58123

| EUVDEUVD-2026-42722 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-07-09 VulnCheck GHSA-ph29-g65g-m574
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Missing authentication on network terminal endpoints gives unauthenticated low-complexity RCE (AV:N/AC:L/PR:N/UI:N); full OS command execution yields C:H/I:H/A:H, no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 22:06 vuln.today

DescriptionCVE.org

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.

AnalysisAI

Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell commands by reaching the product's embedded terminal API without any credentials. Because of a missing authentication check (CWE-306), an attacker chains four sequential unauthenticated HTTP requests to create a session, attach a PTY shell, and inject commands, executing code as the server process user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Hermes WebUI over network
Delivery
Send unauthenticated session-create request
Exploit
Attach PTY shell via API
Execution
Write shell commands to input endpoint
Impact
Execute code as server process user

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Hermes WebUI HTTP service and access to its embedded terminal API endpoints (the session-create, PTY-attach, and terminal-input endpoints); no credentials, tokens, or user interaction are needed, matching AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Hermes WebUI instance over the network sends an unauthenticated request to create a terminal session, a second to attach a PTY shell, and then writes shell commands to the terminal input endpoint, gaining command execution as the web server process user. Because no credentials, user interaction, or elevated privileges are needed and complexity is low, an internet-exposed instance could be compromised by a simple automated script; no public exploit code has been identified at time of analysis.
Remediation Vendor-released patch: v0.51.788 - upgrade Hermes WebUI to 0.51.788 or later, which is the primary and authoritative fix (release: https://github.com/nesquena/hermes-webui/releases/tag/v0.51.788, patch commit d257e5f36cfa9328600c8bde6f0de09a6ad9b6f4, PR 5268). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Hermes WebUI deployments and identify versions prior to 0.51.788; isolate externally accessible instances pending remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-58122 CRITICAL
9.3 Jul 09

Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t

CVE-2026-55196 CRITICAL
9.1 Jun 17

Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass

CVE-2026-49973 CRITICAL
9.2 Jun 11

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin

CVE-2026-53871 HIGH
8.6 Jun 17

Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files,

CVE-2026-6832 HIGH
7.2 Apr 21

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic

CVE-2026-11322 HIGH
7.1 Jun 04

Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files ou

CVE-2026-49956 HIGH
7.1 Jun 09

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran

CVE-2026-55198 HIGH
7.1 Jun 17

Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra

CVE-2026-55197 HIGH
7.1 Jun 17

Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans

CVE-2026-49955 MEDIUM
6.9 Jun 09

Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availabi

CVE-2026-55205 MEDIUM
6.9 Jun 18

Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint

CVE-2026-58174 MEDIUM
6.0 Jun 30

Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user oper

Share

CVE-2026-58123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy