CVE-2026-49955

MEDIUM 5.3

Hermes WebUI < 0.51.270 Resource Exhaustion via passkey/options

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.

CWE	CWE-770
Vendor	nesquena
Product	hermes-webui
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for nesquena hermes-webui

Be the first to know when new medium vulnerabilities affecting nesquena hermes-webui are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

nesquena / hermes-webui

0 < 0.51.270

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nesquena/hermes-webui/releases/tag/v0.51.270 github.com: https://github.com/nesquena/hermes-webui/pull/3624 github.com: https://github.com/nesquena/hermes-webui/pull/3674 github.com: https://github.com/nesquena/hermes-webui/commit/58528a4d88b0fa4f7b822e31d6051c669769bd3b vulncheck.com: https://www.vulncheck.com/advisories/hermes-webui-resource-exhaustion-via-passkey-options

Credits

Chia Min Jun Lennon