CVE-2026-58123
Deferred Deferred - Pending Action

Unauthenticated Remote Code Execution in Hermes WebUI

Vulnerability report for CVE-2026-58123, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hermes hermes_webui to 0.51.788 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Hermes WebUI versions before 0.51.788 and allows unauthenticated remote attackers to execute arbitrary shell commands on the server.

Attackers can exploit the embedded terminal API endpoints without needing any credentials by creating a session, attaching a PTY shell, and sending commands through the terminal input endpoint.

This process requires four sequential unauthenticated HTTP requests and results in full command execution with the privileges of the server process user.

Impact Analysis

This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary commands on the affected server without authentication.

An attacker could potentially take full control of the server process, leading to data theft, service disruption, installation of malware, or further network compromise.

Compliance Impact

The vulnerability allows unauthenticated remote code execution on the Hermes WebUI server, enabling attackers to execute arbitrary shell commands as the server process user. This unauthorized access and control over the server could lead to unauthorized data access, data breaches, or manipulation of sensitive information.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and systems to protect privacy and ensure data security.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to failure to adequately protect systems from unauthorized access and execution of arbitrary commands.

Detection Guidance

This vulnerability can be detected by checking if the Hermes WebUI version in use is before 0.51.788, as versions prior to this contain the unauthenticated remote code execution flaw.

To detect potential exploitation attempts on your network or system, monitor for unauthenticated HTTP requests targeting the embedded terminal API endpoints such as /api/terminal/start, /api/terminal/input, /api/terminal/resize, /api/terminal/close, and /api/terminal/output.

Suggested commands include using network monitoring tools like curl or wget to test access to these endpoints without authentication, for example:

  • curl -v http://<hermes-webui-host>:<port>/api/terminal/start
  • curl -v http://<hermes-webui-host>:<port>/api/terminal/input

Additionally, inspecting server logs for unauthenticated access attempts to these endpoints or unusual shell command executions can help detect exploitation.

Mitigation Strategies

The immediate mitigation step is to upgrade Hermes WebUI to version 0.51.788 or later, where the vulnerability has been fixed by gating embedded-terminal HTTP endpoints to local-origin requests when authentication is disabled.

If upgrading is not immediately possible, restrict network access to the Hermes WebUI server so that the embedded terminal API endpoints are only accessible from trusted local or private network origins.

Enable authentication on the Hermes WebUI to prevent unauthenticated access to terminal endpoints.

Consider using additional access controls such as reverse proxy authentication, VPNs, or firewall rules to limit exposure of the vulnerable endpoints.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart