CVE Catalog

CVE-2026-49956

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles. This enables attackers to send requests to the session search endpoint without active-profile filtering.

Risk Assessment

This vulnerability may lead to unauthorized access to sensitive user data, posing a serious threat to the privacy and security of the organization.

Recommendation

It is recommended to update Hermes WebUI to version 0.51.269 or later to mitigate this vulnerability and implement additional security measures to protect user data.

Original NVD description (English source)

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS