CVE-2026-49973

EUVD-2026-36306

11.06.2026, 20:16

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.4 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://github.com/nesquena/hermes-webui/commit/1126e541325d401538f6a272a9c024c37d47ae08

https://github.com/nesquena/hermes-webui/pull/3964

https://github.com/nesquena/hermes-webui/pull/3973

https://github.com/nesquena/hermes-webui/releases/tag/v0.51.358

https://www.vulncheck.com/advisories/hermes-webui-unauthenticated-password-takeover-via-api-settings