Skip to main content

Hermes Webui

16 CVEs product

Monthly

CVE-2026-58122 CRITICAL PATCH Act Now

Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints that are supposed to be restricted to loopback traffic by spoofing an X-Forwarded-For header with a 127.0.0.1 value. Once past the origin check, an attacker can pivot to server-side request forgery against internal services and cloud metadata endpoints, overwrite LLM provider configuration and API keys, or start an OAuth device-code flow to mint persistent tokens saved in auth.json. A vendor patch exists; the flaw carries a CVSS 4.0 score of 9.3, but no public exploit code has been identified at time of analysis.

Authentication Bypass SSRF Hermes Webui
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-58123 CRITICAL PATCH Act Now

Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell commands by reaching the product's embedded terminal API without any credentials. Because of a missing authentication check (CWE-306), an attacker chains four sequential unauthenticated HTTP requests to create a session, attach a PTY shell, and inject commands, executing code as the server process user. Reported by VulnCheck with a CVSS 4.0 base score of 9.3; a vendor patch is available and no public exploit code has been identified at time of analysis.

Authentication Bypass RCE Hermes Webui
NVD GitHub
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-58174 MEDIUM PATCH This Month

Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user operating under the default profile to read files scoped to other named profiles' workspaces. The /api/session/import handler validates the workspace against the active named profile but omits setting the profile field on the constructed Session object, persisting it with a null profile value. Because the authorization layer treats null profile as equivalent to the default profile, any default-profile user can exploit imported session identifiers to traverse the intended profile boundary and extract file contents - a complete defeat of the application's workspace isolation model. No public exploit is identified at time of analysis, and a vendor-released patch is available at v0.51.521.

Information Disclosure Hermes Webui
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-55205 MEDIUM PATCH This Month

Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint that accumulates unbounded in-memory OAuth flow state and daemon polling threads with each incoming request, enabling remote denial of service without authentication. The root cause - confirmed by vendor release notes and fix commit ce272d9 - is the absence of any deduplication or serialization check before allocating a new flow entry and spawning a worker thread per request. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Denial Of Service Hermes Webui
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-55198 HIGH PATCH This Week

Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session transcripts belonging to other profiles by calling the session export endpoint with a guessed or known session ID. The flaw is a classic IDOR (CWE-639) in the _handle_session_export handler, which omits active-profile ownership checks before serializing the requested session. No public exploit identified at time of analysis, but VulnCheck published a coordinated advisory and the upstream fix is shipped in v0.51.443.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55197 HIGH PATCH This Week

Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation transcripts and metadata belonging to other profiles by passing a foreign session_id to the /api/session endpoint. The flaw is a classic IDOR (CWE-639) where profile boundary checks are missing on by-id reads. No public exploit identified at time of analysis, but the trigger is a single trivial GET request and the upstream patch openly describes the fix as 'scope session by-id reads + exports to active profile,' which discloses the bypass.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55196 CRITICAL PATCH Act Now

Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first passkey on instances where HERMES_WEBUI_PASSKEY=1 is set and no credentials yet exist, yielding permanent administrative control. The flaw resides in the passkey registration API endpoints, which fail to enforce authentication during the initial enrollment window. No public exploit identified at time of analysis, but a vendor patch is available and the issue was disclosed by VulnCheck.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.6%
CVE-2026-53871 HIGH PATCH This Week

Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files, and resources belonging to other profiles by forging the hermes_profile cookie. The flaw lives in get_profile_cookie(), which trusted attacker-supplied profile names without binding them to the authenticated session. VulnCheck reported the issue and an upstream patch is available; no public exploit identified at time of analysis.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-49973 CRITICAL PATCH Act Now

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settings API endpoint during the first-run window to POST the _set_password parameter, persist an arbitrary password hash, and obtain a valid administrative session cookie. The flaw, reported by VulnCheck and tracked as an improper access control (CWE-306) issue, locks the legitimate operator out of their own instance and grants full administrative control. No public exploit identified at time of analysis, but an upstream fix landed in release v0.51.358.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-49956 HIGH PATCH This Week

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and transcript message content from other users' profiles by querying the sessions search endpoint, which fails to scope results to the caller's active profile. The flaw was reported by VulnCheck and a vendor patch is available; no public exploit identified at time of analysis, but the issue is trivial to trigger for any logged-in account.

Authentication Bypass Hermes Webui
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-49955 MEDIUM PATCH This Month

Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availability by abusing the WebAuthn passkey options endpoint without rate limiting or challenge lifecycle enforcement. Repeated POST requests to the authentication endpoint cause the server-side challenge store file to grow without bound, generating sustained CPU load and disk I/O pressure through continuous JSON file rewrites. No public exploit identified at time of analysis and not listed in CISA KEV; EPSS data was not available in provided intelligence. The fix is confirmed in the vendor-released v0.51.270.

Denial Of Service Hermes Webui
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-11322 HIGH PATCH This Week

Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files outside the designated workspace by placing symlinks that resolve to external host paths and accessing them through the workspace file or listing APIs. Because the vulnerable code only blocked raw '..' traversal and a small denylist of system directories rather than enforcing that resolved targets stay within the workspace root, attackers can disclose sensitive host content such as SSH keys, cloud credentials, and application tokens. No public exploit identified at time of analysis, but the patch and a VulnCheck advisory are published and the fix is straightforward to reverse-engineer from the upstream commit.

Information Disclosure Path Traversal Hermes Webui Suse
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-22677 MEDIUM PATCH This Month

Path traversal in Hermes WebUI's session import endpoint allows authenticated low-privileged attackers to read arbitrary files accessible to the WebUI process. By importing a crafted session JSON with an unrestricted workspace value such as '/', an attacker bypasses the workspace boundary controls that govern every other workspace-bearing endpoint, then leverages the file API to exfiltrate any file readable by the WebUI process user. No active exploitation is confirmed (absent from CISA KEV), EPSS sits at 0.04% in the 12th percentile, and SSVC rates exploitation as none - but the CVSS 4.0 confidentiality impact is rated High, making this a meaningful risk for network-exposed deployments with authenticated user populations.

Path Traversal Hermes Webui
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-6832 HIGH PATCH This Week

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.

Path Traversal Hermes Webui
NVD GitHub
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-6830 MEDIUM PATCH This Month

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.

Information Disclosure Hermes Webui
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-6829 MEDIUM PATCH This Month

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.

Path Traversal Hermes Webui
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints that are supposed to be restricted to loopback traffic by spoofing an X-Forwarded-For header with a 127.0.0.1 value. Once past the origin check, an attacker can pivot to server-side request forgery against internal services and cloud metadata endpoints, overwrite LLM provider configuration and API keys, or start an OAuth device-code flow to mint persistent tokens saved in auth.json. A vendor patch exists; the flaw carries a CVSS 4.0 score of 9.3, but no public exploit code has been identified at time of analysis.

Authentication Bypass SSRF Hermes Webui
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell commands by reaching the product's embedded terminal API without any credentials. Because of a missing authentication check (CWE-306), an attacker chains four sequential unauthenticated HTTP requests to create a session, attach a PTY shell, and inject commands, executing code as the server process user. Reported by VulnCheck with a CVSS 4.0 base score of 9.3; a vendor patch is available and no public exploit code has been identified at time of analysis.

Authentication Bypass RCE Hermes Webui
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user operating under the default profile to read files scoped to other named profiles' workspaces. The /api/session/import handler validates the workspace against the active named profile but omits setting the profile field on the constructed Session object, persisting it with a null profile value. Because the authorization layer treats null profile as equivalent to the default profile, any default-profile user can exploit imported session identifiers to traverse the intended profile boundary and extract file contents - a complete defeat of the application's workspace isolation model. No public exploit is identified at time of analysis, and a vendor-released patch is available at v0.51.521.

Information Disclosure Hermes Webui
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint that accumulates unbounded in-memory OAuth flow state and daemon polling threads with each incoming request, enabling remote denial of service without authentication. The root cause - confirmed by vendor release notes and fix commit ce272d9 - is the absence of any deduplication or serialization check before allocating a new flow entry and spawning a worker thread per request. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Denial Of Service Hermes Webui
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session transcripts belonging to other profiles by calling the session export endpoint with a guessed or known session ID. The flaw is a classic IDOR (CWE-639) in the _handle_session_export handler, which omits active-profile ownership checks before serializing the requested session. No public exploit identified at time of analysis, but VulnCheck published a coordinated advisory and the upstream fix is shipped in v0.51.443.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation transcripts and metadata belonging to other profiles by passing a foreign session_id to the /api/session endpoint. The flaw is a classic IDOR (CWE-639) where profile boundary checks are missing on by-id reads. No public exploit identified at time of analysis, but the trigger is a single trivial GET request and the upstream patch openly describes the fix as 'scope session by-id reads + exports to active profile,' which discloses the bypass.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first passkey on instances where HERMES_WEBUI_PASSKEY=1 is set and no credentials yet exist, yielding permanent administrative control. The flaw resides in the passkey registration API endpoints, which fail to enforce authentication during the initial enrollment window. No public exploit identified at time of analysis, but a vendor patch is available and the issue was disclosed by VulnCheck.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files, and resources belonging to other profiles by forging the hermes_profile cookie. The flaw lives in get_profile_cookie(), which trusted attacker-supplied profile names without binding them to the authenticated session. VulnCheck reported the issue and an upstream patch is available; no public exploit identified at time of analysis.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settings API endpoint during the first-run window to POST the _set_password parameter, persist an arbitrary password hash, and obtain a valid administrative session cookie. The flaw, reported by VulnCheck and tracked as an improper access control (CWE-306) issue, locks the legitimate operator out of their own instance and grants full administrative control. No public exploit identified at time of analysis, but an upstream fix landed in release v0.51.358.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and transcript message content from other users' profiles by querying the sessions search endpoint, which fails to scope results to the caller's active profile. The flaw was reported by VulnCheck and a vendor patch is available; no public exploit identified at time of analysis, but the issue is trivial to trigger for any logged-in account.

Authentication Bypass Hermes Webui
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availability by abusing the WebAuthn passkey options endpoint without rate limiting or challenge lifecycle enforcement. Repeated POST requests to the authentication endpoint cause the server-side challenge store file to grow without bound, generating sustained CPU load and disk I/O pressure through continuous JSON file rewrites. No public exploit identified at time of analysis and not listed in CISA KEV; EPSS data was not available in provided intelligence. The fix is confirmed in the vendor-released v0.51.270.

Denial Of Service Hermes Webui
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files outside the designated workspace by placing symlinks that resolve to external host paths and accessing them through the workspace file or listing APIs. Because the vulnerable code only blocked raw '..' traversal and a small denylist of system directories rather than enforcing that resolved targets stay within the workspace root, attackers can disclose sensitive host content such as SSH keys, cloud credentials, and application tokens. No public exploit identified at time of analysis, but the patch and a VulnCheck advisory are published and the fix is straightforward to reverse-engineer from the upstream commit.

Information Disclosure Path Traversal Hermes Webui +1
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Path traversal in Hermes WebUI's session import endpoint allows authenticated low-privileged attackers to read arbitrary files accessible to the WebUI process. By importing a crafted session JSON with an unrestricted workspace value such as '/', an attacker bypasses the workspace boundary controls that govern every other workspace-bearing endpoint, then leverages the file API to exfiltrate any file readable by the WebUI process user. No active exploitation is confirmed (absent from CISA KEV), EPSS sits at 0.04% in the 12th percentile, and SSVC rates exploitation as none - but the CVSS 4.0 confidentiality impact is rated High, making this a meaningful risk for network-exposed deployments with authenticated user populations.

Path Traversal Hermes Webui
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.

Path Traversal Hermes Webui
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.

Information Disclosure Hermes Webui
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.

Path Traversal Hermes Webui
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy