CVE-2026-55205
published 2026-06-18CVE-2026-55205: Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows…
PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.30%
21.7th percentile
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nesquena | hermes-webui | < 0.51.468 | 0.51.468 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state an
ghsa_unreviewed·2026-06-18
CVE-2026-55205 [MEDIUM] CWE-770 Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state an
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.
VulDB
nesquena hermes-webui up to 0.51.467 start allocation of resources (EUVD-2026-37904)
vuldb·2026-06-18
CVE-2026-55205 [LOW] nesquena hermes-webui up to 0.51.467 start allocation of resources (EUVD-2026-37904)
A vulnerability described as problematic has been identified in nesquena hermes-webui up to 0.51.467. This issue affects some unknown processing of the file /api/onboarding/oauth/start. Executing a manipulation can lead to allocation of resources.
The identification of this vulnerability is CVE-2026-55205. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nesquena/hermes-webui/commit/ce272d9cd5f8e5a4521278f56eb5388010901646https://github.com/nesquena/hermes-webui/pull/3970https://github.com/nesquena/hermes-webui/pull/4338https://github.com/nesquena/hermes-webui/releases/tag/v0.51.468https://www.vulncheck.com/advisories/hermes-webui-resource-exhaustion-via-unauthenticated-oauth-flow-endpointhttps://github.com/nesquena/hermes-webui/pull/3970
2026-06-18
Published