Description
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.
Published: 2026-06-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI versions prior to 0.51.269 expose a profile isolation bypass that allows an authenticated user to retrieve session titles and transcript content from profiles that are not the user’s active profile. The flaw is due to a missing authorization check on the session search endpoint, effectively granting users the ability to read information that should be restricted. This results in a confidentiality violation of other users’ data, consistent with CWE‑862 – Missing Authorization.

Affected Systems

The affected product is Hermes WebUI, managed by the vendor nesquena. All installations running any release lower than 0.51.269 are vulnerable; versions 0.51.269 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is application‑level over the network, as the attacker would send HTTP requests to the session search endpoint. Because the flaw is exploitable with normal authentication credentials and does not require elevated privileges, the risk to systems that allow multiple user profiles is significant, especially where sensitive session data is involved.

Generated by OpenCVE AI on June 9, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.269 or later.
  • Ensure the session search endpoint enforces active‑profile filtering by testing with a non‑admin user and verifying that data from other profiles is not returned.
  • If an immediate upgrade is not possible, temporarily disable the session search functionality for non‑admin users until the patch can be applied.

Generated by OpenCVE AI on June 9, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.
Title Hermes WebUI < 0.51.269 Profile Isolation Bypass via sessions search
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T17:51:17.388Z

Reserved: 2026-06-02T16:30:15.232Z

Link: CVE-2026-49956

cve-icon Vulnrichment

Updated: 2026-06-09T17:49:46.263Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T17:17:48.943

Modified: 2026-06-09T19:36:10.547

Link: CVE-2026-49956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T18:15:10Z

Weaknesses