CVE-2026-58122
nesquena · hermes-webui
An authentication bypass vulnerability in Hermes WebUI allows attackers to spoof X-Forwarded-For headers to circumvent IP restrictions and perform unauthorized actions on onboarding endpoints.
Executive summary
A critical authentication bypass vulnerability in nesquena hermes-webui allows unauthenticated remote attackers to spoof IP headers to access sensitive internal configurations and steal authentication tokens.
Vulnerability
The application incorrectly trusts the X-Forwarded-For header for IP validation, allowing unauthenticated attackers to bypass security checks and perform server-side request forgery or access sensitive configuration data.
Business impact
This vulnerability enables attackers to perform unauthorized actions such as accessing cloud metadata, overwriting LLM provider configurations, or stealing OAuth tokens. With a CVSS score of 9.1, the risk of credential theft and unauthorized internal access is extreme, potentially leading to long-term persistence in the target environment.
Remediation
Immediate Action: Upgrade nesquena hermes-webui to version 0.51.307 or later to correctly validate origin IP addresses and mitigate header-spoofing risks.
Proactive Monitoring: Audit logs for suspicious X-Forwarded-For header values and unexpected access attempts to onboarding or configuration-related API endpoints.
Compensating Controls: Configure reverse proxies or load balancers to sanitize or ignore incoming X-Forwarded-For headers from untrusted external sources.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ability to bypass authentication and manipulate internal configurations poses a severe security risk. Administrators should update to version 0.51.307 immediately and review existing configurations to ensure no illicit changes were made prior to patching.