Description
Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, enabling attackers to exfiltrate foreign session transcripts by guessing or knowing session identifiers.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can request the session export endpoint to retrieve session data belonging to other user profiles. The vulnerability arises because the endpoint does not verify ownership of the requested session IDs before serializing the session data, allowing attackers to exfiltrate foreign session transcripts. This flaw enables the disclosure of potentially sensitive information, compromising confidentiality.

Affected Systems

Hermes WebUI versions earlier than 0.51.443 are affected. The product is distributed by nesquena under the Hermes WebUI vendor name. Users running any version prior to the 0.51.443 release are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact, while the EPSS score of <1% suggests exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Attackers need only be authenticated to the system and must know or guess a valid session identifier. Once they have a session ID, the flaw permits unrestricted retrieval of that session’s data.

Generated by OpenCVE AI on June 18, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.443 or later to apply the authorization check fix.
  • Configure the application to restrict access to the session export endpoint to administrators only, removing or limiting permissions for other user profiles.
  • Monitor authentication and export activity logs for suspicious session ID requests, and investigate any anomalous usage patterns.

Generated by OpenCVE AI on June 18, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, enabling attackers to exfiltrate foreign session transcripts by guessing or knowing session identifiers.
Title Hermes WebUI < 0.51.443 - Cross-Profile Session Data Exfiltration via Session Export Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T19:30:54.755Z

Reserved: 2026-06-16T15:53:37.764Z

Link: CVE-2026-55198

cve-icon Vulnrichment

Updated: 2026-06-17T19:30:48.718Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:45:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key