CVE Catalog

CVE-2026-49955

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

35th percentile - higher than 35% of all known CVEs

Summary

Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion.

Risk Assessment

Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.

Recommendation

It is recommended to update Hermes WebUI to version 0.51.270 or later to mitigate this vulnerability and to monitor traffic to the authentication endpoint for potential attacks.

Original NVD description (English source)

Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS