CVE-2026-55197
Deferred Deferred - Pending Action
Hermes WebUI Broken Access Control Exposes Session Transcripts

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: VulnCheck

Description
Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET /api/session?session_id=<foreign_id>&messages=1 to retrieve unauthorized conversation transcripts and metadata.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-55197
EUVD
EUVD-2026-37778
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hermes hermes_webui to 0.51.443 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Hermes WebUI before version 0.51.443 has a broken access control vulnerability in its /api/session endpoint.

This vulnerability allows authenticated users to bypass profile boundary checks by querying session IDs that belong to other user profiles.

By sending a GET request to /api/session with a foreign session_id and messages=1, attackers can retrieve unauthorized conversation transcripts and metadata from other profiles.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive conversation transcripts and metadata from other user profiles.

Attackers who are authenticated can access private session data that they should not have permission to view.

This can result in privacy breaches, exposure of confidential information, and potential misuse of the disclosed data.

Compliance Impact

This vulnerability allows authenticated users to access session transcripts and metadata of other profiles without authorization, leading to unauthorized disclosure of potentially sensitive personal data.

Such unauthorized data exposure can violate data protection requirements under regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

Therefore, this broken access control issue could result in non-compliance with these standards due to failure to adequately protect user data confidentiality.

Detection Guidance

This vulnerability involves unauthorized access to session transcripts via the /api/session endpoint by querying session IDs belonging to other profiles.

To detect this vulnerability on your system or network, you can monitor or test for unauthorized GET requests to the /api/session endpoint with the session_id parameter referencing foreign session IDs.

For example, you can use network monitoring tools or commands like curl to attempt accessing session transcripts with different session IDs to verify if access control is broken.

  • curl -i -X GET "http://<target>/api/session?session_id=<foreign_id>&messages=1"
  • Use network traffic analysis tools (e.g., Wireshark, tcpdump) to detect suspicious GET requests to /api/session with varying session_id parameters.
Mitigation Strategies

Immediate mitigation steps include restricting access to the /api/session endpoint to ensure that users can only access their own session data.

You should apply access control checks on the server side to verify that the authenticated user is authorized to view the requested session transcript.

Additionally, consider updating Hermes WebUI to version 0.51.443 or later where this vulnerability is fixed.

If an update is not immediately possible, implement network-level restrictions or monitoring to detect and block unauthorized access attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart