Search
Find a vulnerability
Search criteria
1 vulnerability by hermes-webui
CVE-2026-55196 (GCVE-0-2026-55196)
Vulnerability from cvelistv5 – Published: 2026-06-17 17:58 – Updated: 2026-06-17 17:58 X_Open Source
VLAI
Title
Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass
Summary
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.
Severity
9.1 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/nesquena/hermes-webui/releases… | release-notes |
| https://github.com/nesquena/hermes-webui/pull/4171 | technical-description |
| https://github.com/nesquena/hermes-webui/pull/4267 | issue-tracking |
| https://github.com/nesquena/hermes-webui/commit/4… | patch |
| https://www.vulncheck.com/advisories/hermes-webui… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hermes-webui | hermes-webui |
Affected:
0 , < 0.51.409
(semver)
Unaffected: 0.51.409 (semver) |
Date Public
2026-06-14 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/hermes-webui-devtools",
"product": "hermes-webui",
"repo": "https://github.com/nesquena/hermes-webui",
"vendor": "hermes-webui",
"versions": [
{
"lessThan": "0.51.409",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.51.409",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chia Min Jun Lennon"
}
],
"datePublic": "2026-06-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T17:58:56.543Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Release Notes",
"tags": [
"release-notes"
],
"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.51.442"
},
{
"name": "Researcher Pull Request",
"tags": [
"technical-description"
],
"url": "https://github.com/nesquena/hermes-webui/pull/4171"
},
{
"name": "Maintainer Pull Request",
"tags": [
"issue-tracking"
],
"url": "https://github.com/nesquena/hermes-webui/pull/4267"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/nesquena/hermes-webui/commit/4d90577e25d5537cb07290eca3fb8abff3bab316"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hermes-webui-unauthenticated-passkey-registration-via-authentication-bypass"
}
],
"tags": [
"x_open-source"
],
"title": "Hermes WebUI \u003c 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-55196",
"datePublished": "2026-06-17T17:58:56.543Z",
"dateReserved": "2026-06-16T15:53:37.764Z",
"dateUpdated": "2026-06-17T17:58:56.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}