๐Ÿ” CVE Alert

CVE-2026-58122

CRITICAL 9.1

Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing

CVSS Score
9.1
EPSS Score
0.3%
EPSS Percentile
21th

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.

CWE CWE-348
Vendor nesquena
Product hermes-webui
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for nesquena hermes-webui

Be the first to know when new critical vulnerabilities affecting nesquena hermes-webui are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

nesquena / hermes-webui
0 < 0.51.307

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/nesquena/hermes-webui/releases/tag/v0.51.307 github.com: https://github.com/nesquena/hermes-webui/pull/3758 github.com: https://github.com/nesquena/hermes-webui/commit/70596e6993be0d4cee083c1c1a86f5e7ad5d57b7 vulncheck.com: https://www.vulncheck.com/advisories/hermes-webui-authentication-bypass-via-x-forwarded-for-header-spoofing

Credits

fantasticsquirrel