CVE-2026-49955
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion.
Risk Assessment
Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.
Recommendation
It is recommended to update Hermes WebUI to version 0.51.270 or later to mitigate this vulnerability and to monitor traffic to the authentication endpoint for potential attacks.
Original NVD description (English source)
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.

