CVE-2026-55196 nesquena CVE debrief

Who should care

Administrators and users of Hermes WebUI, especially those who have enabled the HERMES_WEBUI_PASSKEY=1 configuration, should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability can allow attackers to gain permanent administrative control, potentially leading to unauthorized access and malicious activities.

Technical summary

The vulnerability exists in the passkey registration endpoints of Hermes WebUI. Specifically, when HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, the POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication. This allows attackers to register arbitrary passkeys and gain permanent administrative control. The vulnerability is caused by a lack of proper authentication checks in the affected endpoints.

Defensive priority

High

Recommended defensive actions

• Update Hermes WebUI to version 0.51.442 or later
• Disable the HERMES_WEBUI_PASSKEY=1 configuration if not required
• Implement proper authentication checks for passkey registration endpoints
• Monitor for suspicious activity on the affected endpoints
• Restrict access to the affected endpoints to authenticated users only
• Consider using alternative authentication methods, such as multi-factor authentication

Evidence notes

The vulnerability was reported by Vulncheck and is publicly disclosed. The CVE record and NVD detail pages provide additional information about the vulnerability. GitHub commits and pull requests are available for reference.

Official resources