CVE-2026-55196
published 2026-06-17CVE-2026-55196: Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to…
PriorityP274critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.58%
43.3th percentile
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hermes-webui | hermes-webui | < 0.51.409 | 0.51.409 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.1CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.09.1CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
hermes-webui Hermes WebUI up to 0.51.408 options missing authentication
vuldb·2026-06-17
CVE-2026-55196 [CRITICAL] hermes-webui Hermes WebUI up to 0.51.408 options missing authentication
A vulnerability labeled as critical has been found in hermes-webui Hermes WebUI up to 0.51.408. This affects an unknown part of the file /api/auth/passkey/register/options. Executing a manipulation can lead to missing authentication.
This vulnerability appears as CVE-2026-55196. The attack may be performed from remote. There is no available exploit.
The affected component should be upgraded.
CVEList
Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass
cvelistv5·2026-06-17·CVSS 9.1
CVE-2026-55196 [CRITICAL] CWE-306 Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass
Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.
GHSA
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys.
ghsa_unreviewed·2026-06-17
CVE-2026-55196 [CRITICAL] CWE-306 Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys.
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nesquena/hermes-webui/commit/4d90577e25d5537cb07290eca3fb8abff3bab316https://github.com/nesquena/hermes-webui/pull/4171https://github.com/nesquena/hermes-webui/pull/4267https://github.com/nesquena/hermes-webui/releases/tag/v0.51.442https://www.vulncheck.com/advisories/hermes-webui-unauthenticated-passkey-registration-via-authentication-bypass
2026-06-17
Published