Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass
Description
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.51.409
Patches
Vulnerability mechanics
Root cause
"Missing authentication checks on passkey registration endpoints allow unauthenticated remote enrollment when no credentials exist."
Attack vector
An unauthenticated remote attacker sends POST requests to `/api/auth/passkey/register/options` and `/api/auth/passkey/register` while the `HERMES_WEBUI_PASSKEY=1` feature flag is enabled and no credentials have been configured. Because the server does not require authentication for these endpoints when no password hash exists, the attacker can complete the WebAuthn registration flow and claim the first passkey, thereby gaining permanent administrative control over the Hermes WebUI instance. The patch introduces a check that rejects remote (non-loopback) client addresses during this bootstrap phase, and requires a valid session when authentication is already enabled [ref_id=1].
What the fix does
The commit adds new test cases and corresponding logic to enforce authentication on the passkey registration endpoints. Specifically, when no password hash exists (first-time setup), the server now allows registration only from a loopback client address (`127.0.0.1`), preventing remote attackers from bootstrapping a passkey. When authentication is already enabled, the endpoints require a valid session cookie verified via `verify_session`. These changes close the bypass by ensuring that passkey enrollment is never accessible to unauthenticated remote callers [patch_id=6466844].
Preconditions
- configThe HERMES_WEBUI_PASSKEY=1 feature flag must be enabled.
- configNo existing credentials (password hash) must be configured on the server.
- networkThe attacker must be able to reach the Hermes WebUI HTTP endpoints over the network.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/nesquena/hermes-webui/commit/4d90577e25d5537cb07290eca3fb8abff3bab316mitrepatch
- www.vulncheck.com/advisories/hermes-webui-unauthenticated-passkey-registration-via-authentication-bypassmitrethird-party-advisory
- github.com/nesquena/hermes-webui/pull/4171mitretechnical-description
- github.com/nesquena/hermes-webui/pull/4267mitreissue-tracking
- github.com/nesquena/hermes-webui/releases/tag/v0.51.442mitrerelease-notes
News mentions
0No linked articles in our index yet.