CVE-2026-55198
MEDIUMHermes WebUI < 0.51.443 - Cross-Profile Session Data Exfiltration via Session Export Endpoint
Title source: cnaDescription
Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, enabling attackers to exfiltrate foreign session transcripts by guessing or knowing session identifiers.
References (5)
Core 5
Core References
Release Notes release-notes
Release Notes
https://github.com/nesquena/hermes-webui/releases/tag/v0.51.443
Technical Description technical-description
Researcher Pull Request
https://github.com/nesquena/hermes-webui/pull/3991
Issue Tracking issue-tracking
Maintainer Pull Request
https://github.com/nesquena/hermes-webui/pull/4269
Patch patch
Patch Commit
https://github.com/nesquena/hermes-webui/commit/2a3baa71b81ca92da8ece8616a09f15894beec71
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hermes-webui-cross-profile-session-data-exfiltration-via-session-export-endpoint
Scores
CVSS v3
6.5
EPSS
0.0027
EPSS Percentile
18.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
nesquena/hermes-webui
< 0.51.443
nesquena/hermes-webui
0.51.443
Published
Jun 17, 2026
Tracked Since
Jun 18, 2026