CVE-2026-58123
nesquena · hermes-webui
Hermes WebUI contains an unauthenticated remote code execution vulnerability in its embedded terminal API, allowing attackers to execute arbitrary shell commands via sequential HTTP requests.
Executive summary
A critical unauthenticated remote code execution vulnerability in nesquena hermes-webui allows remote attackers to execute arbitrary shell commands, posing a severe risk of full system compromise.
Vulnerability
The application fails to perform authentication on terminal API endpoints, permitting unauthenticated users to create sessions and execute arbitrary commands as the server process user.
Business impact
Successful exploitation allows an attacker to gain complete control over the host server, leading to unauthorized data access, lateral movement within the network, and potential system-wide disruption. With a CVSS score of 9.8, this vulnerability represents a critical risk that could lead to total loss of confidentiality, integrity, and availability.
Remediation
Immediate Action: Upgrade nesquena hermes-webui to version 0.51.788 or later immediately to patch the terminal API authentication flaw.
Proactive Monitoring: Review web server access logs for anomalous, sequential HTTP requests targeting terminal-related endpoints or unexpected shell command execution patterns.
Compensating Controls: Implement strict network access control lists (ACLs) to restrict access to the Hermes WebUI to trusted IP ranges, and deploy a WAF to inspect and block suspicious API call sequences.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This is a critical-severity vulnerability that requires immediate attention. Organizations running Hermes WebUI must prioritize patching to version 0.51.788 to prevent potential unauthenticated remote code execution.