Hermes WebUI: Three Auth Bypass CVEs Disclosed Together

Key findings

• Two broken-access-control CVEs allow authenticated users to exfiltrate session data from other profiles
• CVE-2026-55196 lets unauthenticated attackers register arbitrary passkeys when passkey mode is enabled
• All three bugs were disclosed together on June 17, 2026
• Patches available in versions 0.51.409 (CVE-2026-55196) and 0.51.443 (session bugs)
• No active exploitation reported as of disclosure date

Three authorization and authentication bypass vulnerabilities were disclosed together on June 17, 2026 in Nesquena's Hermes WebUI, a web-based interface for the Hermes messaging system. The batch includes two broken-access-control flaws that allow authenticated users to steal session data from other profiles and one critical authentication bypass that lets unauthenticated attackers register passkeys and take over instances that have passkey-based login enabled. Together, the bugs expose Hermes WebUI deployments to cross-profile data theft and, in certain configurations, full remote account takeover.

Two of the CVEs — CVE-2026-55198 and CVE-2026-55197 — share the same root cause: the API layer fails to enforce profile boundaries on session-related endpoints. CVE-2026-55198 targets the session export handler (_handle_session_export in api/routes.py), which does not verify that the requesting user owns the session being serialized. An authenticated attacker can call the endpoint with a session ID belonging to another profile and receive that session's data. CVE-2026-55197 is a parallel issue in the /api/session endpoint: by directly querying GET /api/session?session_id=<id>, an attacker can retrieve full session transcripts for any session ID, bypassing the profile-boundary checks that should restrict access to only the user's own sessions. Both flaws affect Hermes WebUI versions before 0.51.443.

The third vulnerability, CVE-2026-55196, is more severe in impact. It resides in the passkey registration flow, which is enabled via the HERMES_WEBUI_PASSKEY=1 configuration flag. The endpoints POST /api/auth/passkey/register/options and POST /api/auth/passkey/register do not require any authentication when no credentials have been set up yet. An unauthenticated remote attacker can call these endpoints to register an arbitrary passkey, effectively taking over the WebUI instance. This flaw affects versions before 0.51.409, meaning it was present in a wider range of releases than the session-related bugs.

No reports of in-the-wild exploitation have been published as of the disclosure date. The vulnerabilities were discovered and reported through responsible disclosure channels, and the Nesquena team has released patches. CVE-2026-55196 was fixed in version 0.51.409, while CVE-2026-55198 and CVE-2026-55197 were fixed in version 0.51.443. Administrators running Hermes WebUI should upgrade to at least 0.51.443 to address all three CVEs. For deployments that do not require passkey-based authentication, disabling the HERMES_WEBUI_PASSKEY feature reduces the attack surface for CVE-2026-55196.

This batch is notable for the clarity of its pattern: two of the three bugs are identical in class (broken access control on session APIs), and the third is a separate but equally straightforward authentication bypass. For organizations using Hermes WebUI to manage messaging infrastructure, the cross-profile session exfiltration bugs are especially concerning because they allow a low-privileged authenticated user to siphon sensitive conversation data from other profiles. The passkey bypass, while requiring a specific configuration to be exploitable, grants complete control of the WebUI instance to anyone who finds an unpatched, passkey-enabled deployment.