Skip to main content

Hermes WebUI EUVDEUVD-2026-35494

| CVE-2026-49955 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-09 VulnCheck GHSA-wwx5-jq7h-rp7v
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 09, 2026 - 17:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 09, 2026 - 16:51 vuln.today
Analysis Generated
Jun 09, 2026 - 16:51 vuln.today

DescriptionCVE.org

Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.

AnalysisAI

Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availability by abusing the WebAuthn passkey options endpoint without rate limiting or challenge lifecycle enforcement. Repeated POST requests to the authentication endpoint cause the server-side challenge store file to grow without bound, generating sustained CPU load and disk I/O pressure through continuous JSON file rewrites. No public exploit identified at time of analysis and not listed in CISA KEV; EPSS data was not available in provided intelligence. The fix is confirmed in the vendor-released v0.51.270.

Technical ContextAI

The affected component is the passkey (WebAuthn/FIDO2) authentication flow in Hermes WebUI, a web-based interface developed by nesquena (CPE: cpe:2.3:a:nesquena:hermes-webui:*:*:*:*:*:*:*:*). During a standard WebAuthn assertion, the server generates a cryptographic challenge and temporarily stores it pending client completion. In vulnerable versions before 0.51.270, the server neither enforces challenge expiration nor limits how many pending challenges a single caller may accumulate. Challenges are persisted to a flat JSON file; each new challenge triggers a full read-modify-write cycle of that file, meaning throughput scales linearly with request rate. CWE-770 (Allocation of Resources Without Limits or Throttling) is the root cause class - the application allocates storage and I/O resources on demand for each incoming request without any bounding mechanism, making the resource pool exploitable by any client that can reach the endpoint.

RemediationAI

Upgrade Hermes WebUI to v0.51.270, the vendor-released patch confirmed at https://github.com/nesquena/hermes-webui/releases/tag/v0.51.270 and implemented via commit 58528a4d88b0fa4f7b822e31d6051c669769bd3b (https://github.com/nesquena/hermes-webui/commit/58528a4d88b0fa4f7b822e31d6051c669769bd3b). If immediate upgrade is not possible, operators should place a reverse proxy or WAF in front of Hermes WebUI configured to rate-limit POST requests to the passkey options endpoint (e.g., restrict to a maximum of N requests per source IP per minute); note that aggressive rate limits may affect legitimate high-concurrency login flows. Alternatively, disabling the passkey authentication feature entirely removes the attack surface, with the trade-off of losing WebAuthn login capability for all users. Blocking unauthenticated external access to the authentication endpoints via network controls is a further compensating measure for deployments not requiring internet-facing passkey enrollment.

CVE-2026-58123 CRITICAL
9.3 Jul 09

Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell

CVE-2026-58122 CRITICAL
9.3 Jul 09

Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t

CVE-2026-55196 CRITICAL
9.1 Jun 17

Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass

CVE-2026-49973 CRITICAL
9.2 Jun 11

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin

CVE-2026-53871 HIGH
8.6 Jun 17

Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files,

CVE-2026-6832 HIGH
7.2 Apr 21

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic

CVE-2026-11322 HIGH
7.1 Jun 04

Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files ou

CVE-2026-49956 HIGH
7.1 Jun 09

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran

CVE-2026-55198 HIGH
7.1 Jun 17

Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra

CVE-2026-55197 HIGH
7.1 Jun 17

Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans

CVE-2026-55205 MEDIUM
6.9 Jun 18

Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint

CVE-2026-58174 MEDIUM
6.0 Jun 30

Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user oper

Share

EUVD-2026-35494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy