CVE-2026-58122 PUBLISHED

Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing

Assigner: VulnCheck
Reserved: 29.06.2026 Published: 09.07.2026 Updated: 09.07.2026

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor nesquena
Product hermes-webui
Versions Default: affected
  • affected from 0 to 0.51.307 (excl.)

Credits

  • fantasticsquirrel finder

References

Problem Types

  • Use of Less Trusted Source CWE