Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55198

CVE-2026-55198: Hermes WebUI Auth Bypass Vulnerability

CVE-2026-55198 is an authorization bypass flaw in Hermes WebUI before 0.51.443 that allows authenticated users to access sessions from other profiles. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-55198 Overview

CVE-2026-55198 is an authorization bypass vulnerability affecting Hermes WebUI versions before 0.51.443. The flaw resides in the session export endpoint, where the _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data. Authenticated users can request session exports belonging to other profiles by supplying or guessing session identifiers. The result is cross-profile data exfiltration of session transcripts, exposing potentially sensitive conversational data stored by other users on the same instance. The vulnerability is classified as [CWE-639] Authorization Bypass Through User-Controlled Key.

Critical Impact

Authenticated attackers can exfiltrate session transcripts belonging to other profiles by invoking the session export endpoint with foreign session identifiers, breaking the per-profile data isolation model.

Affected Products

  • Hermes WebUI versions prior to 0.51.443
  • Deployments exposing the api/routes.py session export endpoint
  • Multi-profile Hermes WebUI installations sharing a single backend store

Discovery Timeline

  • 2026-06-17 - CVE CVE-2026-55198 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-55198

Vulnerability Analysis

Hermes WebUI organizes user data into profiles, each scoped to its own collection of sessions. The session export endpoint accepts a session identifier and returns the serialized transcript. The _handle_session_export function in api/routes.py looks up the requested session by identifier without confirming that the session belongs to the caller's active profile. Any authenticated user with knowledge or a successful guess of a session ID can therefore retrieve transcripts owned by other profiles. The issue breaks the tenant-isolation expectation enforced elsewhere in the application and exposes session content to lateral access within the same instance.

Root Cause

The handler resolves session records using only the provided identifier as the lookup key. It does not call the profile-matching helpers (_profiles_match, get_active_profile_name) before returning data. As a result, the authorization check is reduced to authentication, and per-profile ownership is never validated. This is a textbook Insecure Direct Object Reference pattern enumerated as [CWE-639].

Attack Vector

An attacker authenticates to the Hermes WebUI instance with any valid profile. They then issue a request to the session export endpoint supplying a session identifier owned by another profile. Because the handler omits the ownership check, the server returns the serialized session transcript. Session identifiers that are sequential, low-entropy, or leaked through logs and referrers make enumeration practical.

python
# Patch excerpt from api/routes.py — adds profile-scoped imports used to
# enforce active-profile ownership on session by-id reads and exports.
# (mcp_server.py) can import it without duplicating the visibility model.
# Re-exported here so existing `_profiles_match(...)` call sites in this
# module keep resolving without per-call-site refactors.
-from api.profiles import _profiles_match  # noqa: F401, E402  (re-export)
+from api.profiles import (  # noqa: F401, E402  (re-export)
+    _profiles_match,
+    get_active_profile_name,
+    get_active_profile_name as _get_active_profile_name,
+)


def _all_profiles_query_flag(parsed_url) -> bool:

Source: GitHub commit 2a3baa7

Detection Methods for CVE-2026-55198

Indicators of Compromise

  • Requests to the session export endpoint where the supplied session ID does not belong to the authenticated user's active profile.
  • Spikes in 4xx/2xx responses from the export route correlated with sequential or enumerated session identifiers.
  • Application logs showing the same authenticated principal exporting sessions across multiple distinct profile owners.

Detection Strategies

  • Audit existing access logs against the session-to-profile mapping and flag any export retrieved by a non-owning profile.
  • Add server-side telemetry that records both the requester's active profile and the resolved session owner for every export call.
  • Alert on bulk export activity from a single account, particularly traversal patterns across session ID ranges.

Monitoring Recommendations

  • Forward Hermes WebUI application logs to a centralized log platform and retain export-endpoint events for forensic review.
  • Track per-account export volume and set thresholds that trigger review when a profile exports more sessions than it owns.
  • Monitor referrer and parameter values for session IDs that should not be visible to the caller.

How to Mitigate CVE-2026-55198

Immediate Actions Required

  • Upgrade Hermes WebUI to version 0.51.443 or later, which adds active-profile ownership checks to session by-id reads and exports.
  • Review historical access logs for any unauthorized cross-profile session exports and notify impacted users where evidence exists.
  • Rotate or invalidate any session content considered sensitive that may have been exposed prior to patching.

Patch Information

The fix is delivered in Hermes WebUI release v0.51.443. The remediation, applied in commit 2a3baa7 and tracked in PR #3991 and PR #4269, scopes session lookups to the active profile by re-exporting _profiles_match and get_active_profile_name from api.profiles and invoking them inside _handle_session_export. See the VulnCheck advisory for vendor-coordinated disclosure details.

Workarounds

  • Restrict network access to the Hermes WebUI instance to trusted users until the upgrade is applied.
  • Place a reverse proxy or API gateway in front of the export endpoint to enforce per-user authorization based on session ownership metadata.
  • Disable or block the session export route at the proxy layer for tenants that do not require it.
bash
# Example NGINX configuration to block the vulnerable export endpoint
# until Hermes WebUI is upgraded to v0.51.443 or later.
location ~* ^/api/.*/session/export {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.