CVE-2026-58122 in hermes-webuiinfo

Summary

by MITRE • 07/10/2026

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability represents a critical authentication bypass flaw in Hermes WebUI versions prior to 051.307 that fundamentally undermines the security model protecting sensitive onboarding endpoints. The issue stems from improper validation of client origin verification mechanisms, specifically how the application processes the X-Forwarded-For header to determine request source. When attackers supply a spoofed X-Forwarded-For header containing a loopback address such as 127.0.0.1 or ::1, the system incorrectly treats the request as originating from a local source, thereby bypassing crucial IP restriction checks that are designed to prevent external access to internal services.

The technical implementation flaw resides in the application's trust model where it relies on HTTP headers for origin validation without proper sanitization or additional verification mechanisms. This type of vulnerability aligns with CWE-284 Access Control Issues and specifically manifests as an improper authorization check where the system fails to validate that the forwarded address genuinely corresponds to the actual client IP address. The vulnerability creates a dangerous trust relationship between the application and potentially malicious headers, allowing attackers to manipulate the perceived origin of requests.

The operational impact of this authentication bypass is severe and multifaceted across multiple attack vectors. Server-side request forgery becomes possible against internal services including cloud metadata endpoints which typically contain sensitive information about the hosting environment, instance identifiers, and credential material. Additionally, attackers can overwrite critical LLM provider configuration parameters and API keys with malicious values, potentially redirecting all model interactions through attacker-controlled infrastructure. The ability to initiate OAuth device-code flows represents a particularly concerning aspect as it enables persistent access token acquisition that can be stored in the auth.json file, providing long-term unauthorized access to system resources.

The exploitation of this vulnerability follows a systematic approach where attackers first establish a spoofed header with loopback addresses, then leverage the bypassed access controls to target internal services. This attack pattern aligns with ATT&CK technique T1566.002 Phishing via Service Providers and T1071.004 Application Layer Protocol DNS, as it involves manipulating HTTP headers to achieve unauthorized access. The threat actor can escalate privileges through these means without requiring legitimate credentials, making the attack particularly stealthy and difficult to detect through traditional authentication monitoring.

Mitigation strategies should focus on implementing proper header validation mechanisms that either ignore or validate all forwarded headers against known trusted proxy configurations. The system architecture must enforce strict origin verification that cannot be easily spoofed through HTTP headers alone. Organizations should implement additional controls such as mandatory authentication for internal endpoints, network segmentation to isolate sensitive services, and comprehensive monitoring of unusual header patterns or access attempts to internal resources. Furthermore, the application should implement rate limiting and anomaly detection for suspicious request patterns involving loopback address spoofing attempts.

Security teams must also consider implementing proper input sanitization and validation for all HTTP headers that influence access control decisions. The solution requires moving away from header-based origin trust models to more robust authentication mechanisms that do not rely on potentially manipulable client-provided information. Regular security audits should verify that no other similar vulnerabilities exist in the system's access control logic, particularly around IP-based restrictions and header validation processes. Patch management programs must be prioritized to ensure rapid deployment of the vendor-supplied fix for this specific vulnerability affecting versions prior to 0.51.307.

Responsible

VulnCheck

Reservation

06/29/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!