CVE Catalog

CVE-2026-55196

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.58%

43th percentile — higher than 43% of all known CVEs

Summary

Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication.

Risk Assessment

Attackers can claim the first passkey and gain permanent administrative control, posing a serious security threat to the system.

Recommendation

It is recommended to update Hermes WebUI to version 0.51.409 or later and to disable the HERMES_WEBUI_PASSKEY option if it is not necessary.

Original NVD description (English source)

Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS