GHSA-5j37-rf54-82q2CriticalCVSS 9.1

Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey...

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.

🔗 References (7)