CVE-2026-55196NVD

Vulnerability Summary

Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.

Severity Level

CRITICAL(9.1)

Published Date

Jun 17, 2026

Last Modified

Jun 17, 2026

Exploitation Status

No confirmed exploitation yet

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

N/A

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityNone

External References

https://github.com/nesquena/hermes-webui/releases/tag/v0.51.442
https://github.com/nesquena/hermes-webui/pull/4171
https://github.com/nesquena/hermes-webui/pull/4267
https://github.com/nesquena/hermes-webui/commit/4d90577e25d5537cb07290eca3fb8abff3bab316
https://www.vulncheck.com/advisories/hermes-webui-unauthenticated-passkey-registration-via-authentication-bypass