CVE-2026-49955

Hermes WebUI < 0.51.270 Resource Exhaustion via passkey/options

CVSS 6.9 MEDIUMEPSS 0.6%CWE-770

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.9EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

09 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Productos afectados

nesquena · hermes-webui

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/nesquena/hermes-webui/commit/58528a4d88b0fa4f7b822e31d6051c669769bd3b https://github.com/nesquena/hermes-webui/pull/3624 https://github.com/nesquena/hermes-webui/pull/3674 https://github.com/nesquena/hermes-webui/releases/tag/v0.51.270 https://www.vulncheck.com/advisories/hermes-webui-resource-exhaustion-via-passkey-options