CVE-2026-58122
Deferred Deferred - Pending Action

Hermes WebUI Authentication Bypass via X-Forwarded-For Spoofing

Vulnerability report for CVE-2026-58122, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hermes hermes_webui to 0.51.307 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Hermes WebUI versions before 0.51.307 have an authentication bypass vulnerability. This flaw allows unauthenticated remote attackers to bypass local-origin IP restrictions on onboarding endpoints by using a spoofed X-Forwarded-For header containing a loopback address.

By exploiting this vulnerability, attackers can perform server-side request forgery (SSRF) against internal services, including cloud metadata endpoints. They can also overwrite large language model (LLM) provider configurations and API keys with values controlled by the attacker, or initiate OAuth device-code flows to obtain persistent access tokens stored in the auth.json file.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to internal services through SSRF attacks, potentially exposing sensitive internal data.

Attackers can manipulate LLM provider configurations and API keys, which may lead to further compromise or misuse of services.

Additionally, attackers can obtain persistent access tokens via OAuth device-code flows, allowing long-term unauthorized access to the system.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to bypass authentication and access internal services, potentially leading to unauthorized access to sensitive data and persistent access tokens. This could result in violations of data protection and privacy regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the ability to overwrite configuration and API keys or obtain persistent access tokens may lead to data breaches or unauthorized data processing, which are critical compliance concerns under these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58122. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart