CVE-2026-49956
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles. This enables attackers to send requests to the session search endpoint without active-profile filtering.
Risk Assessment
This vulnerability may lead to unauthorized access to sensitive user data, posing a serious threat to the privacy and security of the organization.
Recommendation
It is recommended to update Hermes WebUI to version 0.51.269 or later to mitigate this vulnerability and implement additional security measures to protect user data.
Original NVD description (English source)
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.

