How is CVE-2026-53871 exploited?

Network reachability (required): The attacker must reach the Hermes WebUI service over the network; the CVSS vector specifies AV:N, meaning network exposure is sufficient and no physical or adjacent-network access is needed. Authentication (required): A low-privilege account is sufficient; the attacker must be authenticated to the Hermes WebUI instance (PR:L), but no administrative or elevated privileges are required. Victim interaction (not-required): No victim interaction is needed; the attacker forges the cookie directly without requiring another user to click a link or take any action (UI:N). Attack complexity (info): Attack complexity is low (AC:L); exploitation is reliable and requires no race conditions, special memory layout, or environmental pre-conditions beyond holding a valid low-privilege session.

What is the impact of CVE-2026-53871?

Attacker reads session tokens and private files belonging to other profiles within the Hermes WebUI instance. Attacker modifies or overwrites resources scoped to profiles they do not legitimately own. Attacker pivots across all profiles accessible to the server, effectively collapsing profile-level isolation for the entire deployment.

Back to search

HIGHCVE-2026-53871Published 2026-06-17Modified 2026-06-17CNA VulnCheck

CVE-2026-53871: Hermes WebUI < 0.51.368 - Profile-Scoped Authorization Bypass via Forged hermes_profile Cookie

Q: What is CVE-2026-53871?

This is an authorization bypass vulnerability in Hermes WebUI affecting versions before 0.51.368. An authenticated attacker can forge the hermes_profile cookie value to trick the get_profile_cookie() function into skipping profile-scoped authorization checks, gaining access to sessions, files, and resources belonging to other profiles. The attacker needs a low-privilege account to exploit this over the network; no further interaction is required. A patched-image rebuild at version 0.51.368 is available on HarborGuard for affected environments.

Q: How is CVE-2026-53871 fixed?

A patched-image rebuild at Hermes WebUI 0.51.368 becomes available for any customer image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 0.51.368
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authorization bypass vulnerability in Hermes WebUI affecting versions before 0.51.368. An authenticated attacker can forge the hermes_profile cookie value to trick the get_profile_cookie() function into skipping profile-scoped authorization checks, gaining access to sessions, files, and resources belonging to other profiles. The attacker needs a low-privilege account to exploit this over the network; no further interaction is required. A patched-image rebuild at version 0.51.368 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53871 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Hermes WebUI.

Available

Triage

HarborGuard scores this CVE at 8.6 HIGH using the published CVSS v4.0 vector and can weight that score against each customer organization's per-environment compliance policies before routing the finding to the appropriate team inbox.

Available

Patch

A patched-image rebuild at Hermes WebUI 0.51.368 becomes available for any customer image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Hermes WebUI service over the network; the CVSS vector specifies AV:N, meaning network exposure is sufficient and no physical or adjacent-network access is needed.
AuthenticationRequired
A low-privilege account is sufficient; the attacker must be authenticated to the Hermes WebUI instance (PR:L), but no administrative or elevated privileges are required.
Victim interactionNot required
No victim interaction is needed; the attacker forges the cookie directly without requiring another user to click a link or take any action (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L); exploitation is reliable and requires no race conditions, special memory layout, or environmental pre-conditions beyond holding a valid low-privilege session.

Blast Radius

Attacker reads session tokens and private files belonging to other profiles within the Hermes WebUI instance.
Attacker modifies or overwrites resources scoped to profiles they do not legitimately own.
Attacker pivots across all profiles accessible to the server, effectively collapsing profile-level isolation for the entire deployment.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against all customer images within minutes of advisory ingestion. For images confirmed to carry a vulnerable version of Hermes WebUI (below 0.51.368), a rebuild at the fixed version becomes available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run against the patched image, and opens a pull request targeting affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the full CVSS context and a direct link to the upstream advisory from VulnCheck.

See how HarborGuard automates this

Fix available

0.51.368

Patch commits

github.com

Affected packages

nesquena / hermes-webui
< 0.51.368 (from 0)
Fixed in 0.51.368

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available