CVE-2026-55198

EUVD-2026-37779
Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, enabling attackers to exfiltrate foreign session transcripts by guessing or knowing session identifiers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/nesquena/hermes-webui/commit/2a3baa71b81ca92da8ece8616a09f15894beec71
https://github.com/nesquena/hermes-webui/pull/3991
https://github.com/nesquena/hermes-webui/pull/4269
https://github.com/nesquena/hermes-webui/releases/tag/v0.51.443
https://www.vulncheck.com/advisories/hermes-webui-cross-profile-session-data-exfiltration-via-session-export-endpoint
https://github.com/nesquena/hermes-webui/pull/3991