Home

Description

Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-09 | Updated 2026-06-09 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

Allocation of Resources Without Limits or Throttling

Product status

Default status
affected

Any version before 0.51.270
affected

Credits

Chia Min Jun Lennon finder

References

github.com/nesquena/hermes-webui/releases/tag/v0.51.270 release-notes

github.com/nesquena/hermes-webui/pull/3624 technical-description

github.com/nesquena/hermes-webui/pull/3674 issue-tracking

github.com/...ommit/58528a4d88b0fa4f7b822e31d6051c669769bd3b patch

www.vulncheck.com/...resource-exhaustion-via-passkey-options third-party-advisory

cve.org (CVE-2026-49955)

nvd.nist.gov (CVE-2026-49955)

Download JSON