Hermes WebUI Unauthenticated Setup Takeover via Settings API (CVE-2026-49973)
critical-cve-against-dependency · active
Hermes WebUI before 0.51.358 has an improper access control flaw that lets unauthenticated remote attackers hijack first-run setup by submitting the _set_password parameter to the settings API endpoint. An attacker can set an arbitrary password, obtain a valid session, and lock the legitimate operator out of their own instance.
Affected packages
- npmhermes-webui
Sources
- ghsahttps://github.com/advisories/GHSA-p52p-4vmg-4vq3
- nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-49973
- ghsahttps://github.com/nesquena/hermes-webui/pull/3964
- ghsahttps://github.com/nesquena/hermes-webui/pull/3973
- ghsahttps://github.com/nesquena/hermes-webui/commit/1126e541325d401538f6a272a9c024c37d47ae08
- ghsahttps://github.com/nesquena/hermes-webui/releases/tag/v0.51.358
- ghsahttps://www.vulncheck.com/advisories/hermes-webui-unauthenticated-password-takeover-via-api-settings