CVE-2026-49956
published 2026-06-09CVE-2026-49956: Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.27%
18.9th percentile
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nesquena | hermes-webui | < 0.51.269 | 0.51.269 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoin
ghsa_unreviewed·2026-06-09
CVE-2026-49956 [HIGH] CWE-862 Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoin
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.
VulDB
nesquena hermes-webui up to 0.51.268 Session Search Endpoint authorization
vuldb·2026-06-09·CVSS 6.5
CVE-2026-49956 [MEDIUM] nesquena hermes-webui up to 0.51.268 Session Search Endpoint authorization
A vulnerability classified as problematic was found in nesquena hermes-webui up to 0.51.268. This affects an unknown function of the component Session Search Endpoint. The manipulation results in missing authorization.
This vulnerability is cataloged as CVE-2026-49956. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nesquena/hermes-webui/commit/2c7b530071bb29ae4184e83e33be5799d529568ehttps://github.com/nesquena/hermes-webui/pull/3646https://github.com/nesquena/hermes-webui/pull/3672https://github.com/nesquena/hermes-webui/releases/tag/v0.51.269https://www.vulncheck.com/advisories/hermes-webui-profile-isolation-bypass-via-sessions-searchhttps://github.com/nesquena/hermes-webui/pull/3646
2026-06-09
Published