Description
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.
Published: 2026-06-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI versions prior to 0.51.468 expose the unauthenticated POST /api/onboarding/oauth/start endpoint to resource exhaustion. The endpoint allows unbounded accumulation of in‑memory flow state and daemon threads, enabling attackers to send repeated or concurrent requests that consume server memory and thread resources. By exhausting these resources, an attacker can cause service interruption and may trigger repeated outbound device‑code requests to upstream OAuth providers, potentially leading to additional unwanted traffic or denial of that service.

Affected Systems

The vulnerability affects Hermes WebUI from vendor nesquena. All releases older than version 0.51.468 are impacted and should be considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote unauthenticated web request to the listed endpoint. Because the condition requires only repeated or concurrent requests, the exploitability is relatively low effort for an attacker willing to stress the system.

Generated by OpenCVE AI on June 18, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes WebUI to version 0.51.468 or later to apply the official fix
  • Restrict or rate‑limit access to the /api/onboarding/oauth/start endpoint, for example by enforcing authentication or firewall rules
  • Monitor system memory and thread usage to detect abnormal spikes and respond quickly to potential attacks

Generated by OpenCVE AI on June 18, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.
Title Hermes WebUI < 0.51.468 - Resource Exhaustion via Unauthenticated OAuth Flow Endpoint
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:17:01.444Z

Reserved: 2026-06-16T15:53:37.765Z

Link: CVE-2026-55205

cve-icon Vulnrichment

Updated: 2026-06-18T17:36:27.901Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling