Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-55205 is a resource exhaustion vulnerability in Hermes WebUI versions before 0.51.468. It occurs in the unauthenticated POST /api/onboarding/oauth/start endpoint, where repeated or concurrent requests for the same OAuth provider and profile cause unbounded accumulation of in-memory flow state and daemon threads.

This happens because the OAuth onboarding start requests were not serialized, allowing multiple pending OAuth flows and background worker threads to be created simultaneously. This leads to excessive consumption of server memory and threads.

The vulnerability was fixed by implementing a single-flight mechanism that serializes the OAuth start process per provider and profile, ensuring duplicate requests reuse existing flows instead of creating new ones. This prevents unbounded resource accumulation and race conditions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to resource exhaustion on the server running Hermes WebUI by allowing attackers to consume excessive memory and thread resources through repeated or concurrent unauthenticated requests.

Such resource exhaustion can degrade server performance or cause denial-of-service (DoS) conditions, potentially making the service unavailable to legitimate users.

Additionally, the vulnerability may trigger repeated outbound device-code requests to upstream OAuth providers, which could further impact system stability and external service usage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unbounded accumulation of in-memory flow state and daemon threads caused by repeated or concurrent unauthenticated POST requests to the /api/onboarding/oauth/start endpoint.

To detect this vulnerability on your system, monitor for unusually high memory and thread usage by the Hermes WebUI process, especially after receiving multiple POST requests to the /api/onboarding/oauth/start endpoint.

You can use commands such as:

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and filter POST requests to /api/onboarding/oauth/start.
• Check running threads and memory usage of the Hermes WebUI process with commands like `ps -T -p <pid>` and `top` or `htop`.
• Use `netstat -anp | grep <hermes_webui_port>` to monitor active connections and repeated requests.
• Analyze server logs for repeated unauthenticated POST requests to /api/onboarding/oauth/start.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update Hermes WebUI to version 0.51.468 or later, where the vulnerability has been fixed by implementing a single-flight mechanism that prevents unbounded accumulation of OAuth flows and daemon threads.

Until you can update, consider limiting or blocking unauthenticated POST requests to the /api/onboarding/oauth/start endpoint to prevent resource exhaustion.

• Apply network-level controls such as firewall rules or API gateway restrictions to throttle or block repeated unauthenticated requests to the vulnerable endpoint.
• Monitor system resource usage closely and restart the Hermes WebUI service if resource exhaustion symptoms appear.
• Implement authentication or rate limiting on the onboarding OAuth start endpoint if possible to reduce exposure.

Useful 0 Not Useful 0