Impact
Hermes WebUI versions prior to 0.51.468 expose the unauthenticated POST /api/onboarding/oauth/start endpoint to resource exhaustion. The endpoint allows unbounded accumulation of in‑memory flow state and daemon threads, enabling attackers to send repeated or concurrent requests that consume server memory and thread resources. By exhausting these resources, an attacker can cause service interruption and may trigger repeated outbound device‑code requests to upstream OAuth providers, potentially leading to additional unwanted traffic or denial of that service.
Affected Systems
The vulnerability affects Hermes WebUI from vendor nesquena. All releases older than version 0.51.468 are impacted and should be considered vulnerable.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate to high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote unauthenticated web request to the listed endpoint. Because the condition requires only repeated or concurrent requests, the exploitability is relatively low effort for an attacker willing to stress the system.
OpenCVE Enrichment