COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-58122

CVE-2026-58122

Severity
critical
Source
NVD · cve
Published
2026-07-09
CVSS
9.1
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-58122
shame 45/100 auth-bypassdata-breachunpatched

Hermes WebUI before 0.51.307 allows unauthenticated attackers to bypass local-origin checks and access internal cloud metadata and API keys via spoofed headers.

This authentication bypass enables attackers to perform server-side request forgery against internal services, overwrite LLM provider configurations, and steal persistent OAuth tokens. DIB orgs using Hermes WebUI face immediate exposure to credential theft and unauthorized access to cloud metadata endpoints, requiring immediate patching and network segmentation review.

Shame score — A critical authentication bypass in a web UI component that allows unauthenticated access to internal services and credential theft, though not yet widely exploited in the wild.

Description

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.