Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings

Advisories

severity: critical
date: 6/11/2026
Affecting: Hermes WebUI < 0.51.358
CVE: CVE-2026-49973
CWE: CWE-306 Missing Authentication for Critical Function
CVSS: 9.2
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References: Release Notes
Researcher Pull Request
Maintainer Pull Request
Patch Commit
Credit: Chia Min Jun Lennon
Description: Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo