CVE-2026-58122
Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing
CVSS Score
9.1
EPSS Score
0.3%
EPSS Percentile
21th
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.
| CWE | CWE-348 |
| Vendor | nesquena |
| Product | hermes-webui |
| Published | Jul 9, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for nesquena hermes-webui
Be the first to know when new critical vulnerabilities affecting nesquena hermes-webui are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
nesquena / hermes-webui
0 < 0.51.307
References
github.com: https://github.com/nesquena/hermes-webui/releases/tag/v0.51.307 github.com: https://github.com/nesquena/hermes-webui/pull/3758 github.com: https://github.com/nesquena/hermes-webui/commit/70596e6993be0d4cee083c1c1a86f5e7ad5d57b7 vulncheck.com: https://www.vulncheck.com/advisories/hermes-webui-authentication-bypass-via-x-forwarded-for-header-spoofing
Credits
fantasticsquirrel