CVE-2026-49973
published 2026-06-11CVE-2026-49973: Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by…
PriorityP267critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.54%
41.5th percentile
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nesquena | hermes-webui | < 0.51.358 | 0.51.358 |
CVSS provenance
nvdv3.19.4CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to
ghsa_unreviewed·2026-06-11
CVE-2026-49973 [CRITICAL] CWE-306 Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.
VulDB
nesquena hermes-webui up to 0.51.357 Settings API Endpoint _set_password missing authentication (EUVD-2026-36306)
vuldb·2026-06-11·CVSS 9.4
CVE-2026-49973 [CRITICAL] nesquena hermes-webui up to 0.51.357 Settings API Endpoint _set_password missing authentication (EUVD-2026-36306)
A vulnerability marked as critical has been reported in nesquena hermes-webui up to 0.51.357. The affected element is an unknown function of the component Settings API Endpoint. The manipulation of the argument _set_password leads to missing authentication.
This vulnerability is traded as CVE-2026-49973. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nesquena/hermes-webui/commit/1126e541325d401538f6a272a9c024c37d47ae08https://github.com/nesquena/hermes-webui/pull/3964https://github.com/nesquena/hermes-webui/pull/3973https://github.com/nesquena/hermes-webui/releases/tag/v0.51.358https://www.vulncheck.com/advisories/hermes-webui-unauthenticated-password-takeover-via-api-settingshttps://github.com/nesquena/hermes-webui/pull/3964
2026-06-11
Published