Hermes WebUI versions prior to 0.51.409 contain an authentication bypass in the passkey registration API. When the service is configured with HERMES_WEBUI_PASSKEY=1 and no administrator credentials exist, the POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints can be accessed without authentication. An attacker can therefore register a passkey, become the first owner of that passkey, and permanently acquire administrative control of the WebUI. This flaw is a classic instance of Missing Authentication (CWE-306).

Affected systems are installations of Hermes WebUI using any release earlier than 0.51.409 that have the passkey feature enabled. The vulnerability is present as long as the environment variable HERMES_WEBUI_PASSKEY is set to 1 and the instance starts without an existing administrator account. The identified commit that introduced the fix is available in the v0.51.442 release. Systems that have already been patched to 0.51.409 or later, or that have not enabled passkey registration, are not affected.

The CVSS score of 9.1 indicates a high severity, while the EPSS score of less than 1% suggests that current exploit activity is very low. The vulnerability can be exploited simply by sending unauthenticated POST requests from any network that can reach the target, and only the presence of the passkey feature and the lack of pre‑existing credentials are required. Because it grants full administrative privileges, the impact is severe; however, the likelihood hinges on the specific configuration. Although this issue has not yet been listed in CISA's KEV catalog, security teams should treat it with priority if either condition applies.