CVE-2026-55197
MEDIUMHermes WebUI < 0.51.443 - Broken Access Control in /api/session Endpoint
Title source: cnaDescription
Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET /api/session?session_id=<foreign_id>&messages=1 to retrieve unauthorized conversation transcripts and metadata.
References (5)
Core 5
Core References
Release Notes release-notes
Release Notes
https://github.com/nesquena/hermes-webui/releases/tag/v0.51.443
Technical Description technical-description
Researcher Pull Request
https://github.com/nesquena/hermes-webui/pull/3982
Issue Tracking issue-tracking
Maintainer Pull Request
https://github.com/nesquena/hermes-webui/pull/4269
Patch patch
Patch Commit
https://github.com/nesquena/hermes-webui/commit/2a3baa71b81ca92da8ece8616a09f15894beec71
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hermes-webui-broken-access-control-in-api-session-endpoint
Scores
CVSS v3
6.5
EPSS
0.0027
EPSS Percentile
18.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
nesquena/hermes-webui
< 0.51.443
nesquena/hermes-webui
0.51.443
Published
Jun 17, 2026
Tracked Since
Jun 18, 2026