CVE-2026-49973

June 11, 2026, 8:50 p.m.

9.2
Critical

Description

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.

Product(s) Impacted

Vendor Product Versions
Hermes
  • Hermes Webui
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-306
Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a hermes hermes_webui / / / / / / / /

References

https://github.com/nesquena/hermes-webui/commit/1126e541325d401538f6a272a9c024c37d47ae08
https://github.com/nesquena/hermes-webui/pull/3964
https://github.com/nesquena/hermes-webui/pull/3973
https://github.com/nesquena/hermes-webui/releases/tag/v0.51.358
https://www.vulncheck.com/advisories/hermes-webui-unauthenticated-password-takeover-via-api-settings

Tags

CWE-306
[email protected]
2026-06-11
CVE-2026-49973

CVSS Score

9.2 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 11, 2026, 8:16 p.m.
Last Modified: June 11, 2026, 8:50 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.