CVE-2026-58122

nesquena · hermes-webui

An authentication bypass vulnerability in Hermes WebUI allows attackers to spoof X-Forwarded-For headers to circumvent IP restrictions and perform unauthorized actions on onboarding endpoints.

Executive summary

A critical authentication bypass vulnerability in nesquena hermes-webui allows unauthenticated remote attackers to spoof IP headers to access sensitive internal configurations and steal authentication tokens.

Vulnerability

The application incorrectly trusts the X-Forwarded-For header for IP validation, allowing unauthenticated attackers to bypass security checks and perform server-side request forgery or access sensitive configuration data.

Business impact

This vulnerability enables attackers to perform unauthorized actions such as accessing cloud metadata, overwriting LLM provider configurations, or stealing OAuth tokens. With a CVSS score of 9.1, the risk of credential theft and unauthorized internal access is extreme, potentially leading to long-term persistence in the target environment.

Remediation

Immediate Action: Upgrade nesquena hermes-webui to version 0.51.307 or later to correctly validate origin IP addresses and mitigate header-spoofing risks.

Proactive Monitoring: Audit logs for suspicious X-Forwarded-For header values and unexpected access attempts to onboarding or configuration-related API endpoints.

Compensating Controls: Configure reverse proxies or load balancers to sanitize or ignore incoming X-Forwarded-For headers from untrusted external sources.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The ability to bypass authentication and manipulate internal configurations poses a severe security risk. Administrators should update to version 0.51.307 immediately and review existing configurations to ensure no illicit changes were made prior to patching.