PatchSiren cyber security CVE debrief
CVE-2026-55197 nesquena CVE debrief
CVE-2026-55197 is a high-severity vulnerability in Hermes WebUI before 0.51.443. The vulnerability is caused by a broken access control in the /api/session endpoint, which allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET /api/session?session_id=<foreign_id>&messages=1 to retrieve unauthorized conversation transcripts and metadata. This vulnerability has significant operational impact and requires immediate attention.
- Vendor
- nesquena
- Product
- hermes-webui
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Users of Hermes WebUI before version 0.51.443, administrators, security teams, and operators should be aware of this vulnerability and take immediate action to upgrade to the latest version. Additionally, they should review their systems for potential exposure and implement compensating controls if necessary.
Technical summary
The vulnerability is caused by a broken access control in the /api/session endpoint of Hermes WebUI before 0.51.443. This allows authenticated users to disclose cross-profile session transcripts by querying session IDs belonging to other profiles. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Affected users should be aware of the potential for unauthorized access to conversation transcripts and metadata.
Defensive priority
High
Recommended defensive actions
- Upgrade Hermes WebUI to version 0.51.443 or later
- Review system configurations and ensure proper access controls are in place
- Monitor for suspicious activity and implement compensating controls if necessary
- Perform regular security audits and vulnerability assessments
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The vulnerability was reported by an unknown source and is publicly disclosed. The CVE record was published on 2026-06-17T19:18:13.340Z and last modified on 2026-06-17T20:21:59.863Z. The NVD entry is currently Deferred. Evidence is limited, and defenders should verify affected scope and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T19:18:13.340Z and has not been modified since then. The NVD entry is currently Deferred.