CVE-2026-58122
Deferred
Deferred - Pending Action
Hermes WebUI Authentication Bypass via X-Forwarded-For Spoofing
Vulnerability report for CVE-2026-58122, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-10
Assigner: VulnCheck
Description
Description
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hermes | hermes_webui | to 0.51.307 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-348 | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |