PatchSiren cyber security CVE debrief
CVE-2026-49973 nesquena CVE debrief
CVE-2026-49973 is a critical vulnerability in Hermes WebUI before version 0.51.358. It allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.
- Vendor
- nesquena
- Product
- hermes-webui
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-13
Who should care
Users of Hermes WebUI, especially those who have not upgraded to version 0.51.358 or later, should be aware of this vulnerability and take immediate action to secure their instances.
Technical summary
The vulnerability exists in the settings API endpoint of Hermes WebUI. An unauthenticated attacker can send a POST request with the _set_password parameter during the initial setup process, allowing them to set an arbitrary password hash and gain unauthorized access.
Defensive priority
High
Recommended defensive actions
- Upgrade Hermes WebUI to version 0.51.358 or later.
- Restrict access to the settings API endpoint to only trusted network origins.
- Monitor for suspicious activity on the settings endpoint during initial setup.
Evidence notes
The vulnerability was reported by Vulncheck and is tracked under CVE-2026-49973. References include GitHub commits and pull requests related to the fix, as well as Vulncheck's advisory.
Official resources
CVE-2026-49973 was published on 2026-06-11T20:16:25.050Z and modified on 2026-06-13T04:17:33.730Z.