Description
Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET /api/session?session_id=<foreign_id>&messages=1 to retrieve unauthorized conversation transcripts and metadata.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI versions earlier than 0.51.443 suffer from a broken access control flaw in the /api/session endpoint that permits an authenticated user to request session transcripts belonging to another profile. The vulnerability arises from the ability to query any session ID via a GET request, thereby exposing private conversation transcripts and metadata, a violation of confidentiality and privacy commitments. The weakness is categorized as CWE-639, improper authorization controls that allow a party to access resources not intended for them.

Affected Systems

The affected product is nesquena Hermes WebUI. All releases earlier than 0.51.443 are vulnerable unless a later fix has been applied. Administrators should verify the installed version and ensure it is at least 0.51.443 or higher.

Risk and Exploitability

The CVSS score of 7.1 denotes a medium severity vulnerability, and an EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability requires that the attacker be authenticated, and the attacker must know or guess a foreign session identifier to exploit it. The attack vector is inferred as authenticated, with the attacker able to bypass profile boundary checks by directly querying the session endpoint. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed or widespread exploitation has been reported.

Generated by OpenCVE AI on June 18, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.443 or newer to receive the access-control fix
  • Ensure that the /api/session endpoint is protected such that only the owner of a session ID can retrieve its data, and test that the ownership checks are enforced
  • If you suspect that session IDs may have been exposed, regenerate session identifiers for affected users and monitor for anomalous access patterns

Generated by OpenCVE AI on June 18, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET /api/session?session_id=<foreign_id>&messages=1 to retrieve unauthorized conversation transcripts and metadata.
Title Hermes WebUI < 0.51.443 - Broken Access Control in /api/session Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T18:51:38.359Z

Reserved: 2026-06-16T15:53:37.764Z

Link: CVE-2026-55197

cve-icon Vulnrichment

Updated: 2026-06-17T18:51:23.211Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key