CVE-2026-55196
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication.
Risk Assessment
Attackers can claim the first passkey and gain permanent administrative control, posing a serious security threat to the system.
Recommendation
It is recommended to update Hermes WebUI to version 0.51.409 or later and to disable the HERMES_WEBUI_PASSKEY option if it is not necessary.
Original NVD description (English source)
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control.

