Description
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.
Published: 2026-06-11
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI before version 0.51.358 suffers from an improper access control flaw (CWE-306) that allows an unauthenticated attacker to set a password during the initial setup by sending the _set_password parameter to the /api/settings endpoint. This can result in the attacker obtaining a valid session cookie, taking over the account, and preventing the legitimate operator from accessing the instance.

Affected Systems

The affected product is Hermes WebUI as distributed by nesquena. Any deployment running a version prior to 0.51.358 is vulnerable. The vulnerability applies to the settings API endpoint accessed during the first‑run configuration window.

Risk and Exploitability

The CVSS score of 9.2 indicates a high likelihood of significant impact if exploited. EPSS is not available, so the probability of exploitation cannot be quantified, but the vulnerability is listed in the CVE database and has no KEV listing yet, suggesting that exploitation is not yet widespread. Based on the description, the likely attack vector involves an unauthenticated attacker sending a POST request to /api/settings while the instance is in its initial‑setup state. Because there is no network origin restriction, this could be carried out remotely by any host that can reach the service.

Generated by OpenCVE AI on June 11, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.358 or later, which removes the ability to set passwords without authentication.
  • During the initial setup window, limit external access to the /api/settings endpoint by configuring firewall rules or using network segmentation so that only trusted internal hosts can reach it.
  • Enable logging and alerting for POST requests to /api/settings and review logs for unauthorized attempts, especially during the first‑run phase.

Generated by OpenCVE AI on June 11, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.
Title Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-11T19:04:08.505Z

Reserved: 2026-06-02T16:30:15.234Z

Link: CVE-2026-49973

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-11T20:16:25.050

Modified: 2026-06-11T20:50:49.480

Link: CVE-2026-49973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:15:09Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function