Description
Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.
Published: 2026-06-17
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI versions prior to 0.51.368 allow an authenticated attacker to forge the hermes_profile cookie, causing the get_profile_cookie() function to accept any profile name without proper authentication. This forgery bypasses profile‑scoped authorization checks, enabling the attacker to access sessions, files, and resources belonging to other profiles, effectively granting unauthorized cross‑profile data exposure. The vulnerability stems from improper validation of cookie‑based profile identifiers and is classified as a “Profile‑Scoped Authorization Bypass.”

Affected Systems

The affected product is Hermes WebUI from the vendor nesquena, specifically all releases before 0.51.368. No other vendor or version is explicitly cited as impacted.

Risk and Exploitability

With a CVSS score of 8.6, the vulnerability is high severity, yet its EPSS score of less than 1% indicates a low exploitation likelihood at present. The exploit would involve constructing a forged hermes_profile cookie and sending it to the web application; because the bypass requires an authenticated session, the attacker must first gain or masquerade as a legitimate user. The vulnerability is not listed in CISA’s KEV catalog, so no widespread known exploitation activity is reported.

Generated by OpenCVE AI on June 18, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.368 or newer.
  • Configure the application to enforce HTTPOnly and Secure attributes on the hermes_profile cookie and validate the cookie value against an authenticated session list.
  • Enable multi‑factor authentication for all users and regularly audit session logs for anomalous cookie activity.

Generated by OpenCVE AI on June 18, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.
Title Hermes WebUI < 0.51.368 - Profile-Scoped Authorization Bypass via Forged hermes_profile Cookie
Weaknesses CWE-565
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:16:57.297Z

Reserved: 2026-06-10T21:23:54.283Z

Link: CVE-2026-53871

cve-icon Vulnrichment

Updated: 2026-06-18T13:50:15.480Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-565

    Reliance on Cookies without Validation and Integrity Checking