CVE-2026-49955: Hermes WebUI Resource Exhaustion Denial of Service
Hermes WebUI versions before 0.51.270 have a flaw that lets anyone on the internet repeatedly trigger authentication challenges without actually completing the login process. By flooding the authentication endpoint with requests, attackers can exhaust server resources—filling up disk space, consuming CPU cycles, and degrading service availability for legitimate users. No authentication is required to exploit this vulnerability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-770
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-14
NVD description (verbatim)
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49955 is a resource exhaustion vulnerability (CWE-770) in Hermes WebUI's passkey authentication mechanism. The vulnerability stems from improper handling of incomplete assertion flows in the passkey options endpoint. When an attacker sends repeated POST requests to the authentication endpoint without completing the assertion, the application unboundedly appends challenge data to a persistent JSON file. This causes: (1) uncontrolled growth of the challenge store file on disk, (2) repeated synchronous JSON file rewrites that consume CPU and I/O bandwidth, and (3) eventual denial of service as filesystem and compute resources become saturated. The attack requires no authentication or user interaction, making it trivial to execute remotely. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L reflects the network-exploitable nature and direct impact on service availability, though impact is limited to availability rather than confidentiality or integrity.
Business impact
Service degradation or outage to any organization relying on Hermes WebUI for authentication. Legitimate users may experience slow login times or inability to authenticate during an attack. Depending on deployment model, this could block access to downstream applications or services that depend on Hermes WebUI for identity verification. While the vulnerability does not expose data or allow unauthorized access, the availability impact can disrupt business operations and user productivity. Organizations with high authentication transaction volumes or limited server capacity may experience more severe impact.
Affected systems
Hermes WebUI versions prior to 0.51.270 are affected. Organizations should verify their installed version against the vendor advisory and patch timeline. The vulnerability affects any internet-facing or network-accessible deployment of the affected Hermes WebUI versions. Air-gapped or isolated deployments have reduced risk if external attack surface is eliminated.
Exploitability
This vulnerability is trivial to exploit. An attacker needs only basic HTTP client capabilities (curl, a simple script, or a botnet) to send repeated POST requests to the passkey options endpoint. No authentication is required, no special payloads are needed, and there are no interaction prerequisites. The attack surface is the public authentication endpoint itself. While not yet in the CISA Known Exploited Vulnerabilities (KEV) catalog, the simplicity of exploitation and lack of technical barriers make it a natural target once widely disclosed.
Remediation
Upgrade Hermes WebUI to version 0.51.270 or later. Verify the exact patch version against the vendor's official advisory before deployment. In environments where immediate patching is not feasible, implement network-level controls: restrict unauthenticated access to the authentication endpoint via IP allowlisting, deploy rate limiting on the passkey options endpoint to reject excessive requests from single sources, or place a WAF in front of Hermes WebUI configured to detect and block high-frequency authentication endpoint requests.
Patch guidance
Apply the vendor's patch bringing Hermes WebUI to version 0.51.270 or later. Coordinate patching during a maintenance window if service interruption is a concern. Test the patched version in a non-production environment first to ensure compatibility with dependent applications. After patching, monitor authentication logs and performance metrics to confirm the vulnerability is mitigated and no unexpected side effects occur. Verify against the vendor advisory for any additional configuration changes or known issues in the release notes.
Detection guidance
Monitor for unusual request patterns to the passkey authentication endpoint: (1) High volume of POST requests from a single IP or subnet that fail to complete assertion, (2) Rapid growth of the challenge store file on disk without corresponding successful authentications, (3) CPU and disk I/O spikes correlated with authentication endpoint activity, (4) Application or system logs indicating file write errors or disk space warnings. Implement alerts on authentication endpoint request rates and monitor the challenge store file size. Log aggregation and SIEM tools can correlate failed authentication attempts with resource utilization to detect ongoing attacks.
Why prioritize this
Although CVSS scores this as MEDIUM severity, prioritization should reflect operational context. Organizations where authentication availability is critical to business continuity (e.g., customer-facing SaaS platforms, internal identity providers) should treat this as HIGH priority for rapid patching. The combination of trivial exploitability, zero authentication barriers, and availability impact justifies near-term remediation. The attack is not yet widespread (KEV status is false), but the low technical barrier means active exploitation could emerge quickly post-disclosure. Organizations in less availability-sensitive contexts can follow standard patch cycles, but should not defer indefinitely.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects the availability-only impact, lack of authentication requirements, and network accessibility. However, risk must be assessed contextually: industries or services where uptime directly translates to revenue loss, customer trust, or regulatory compliance should elevate internal risk scores. The exploitability gap—ease of execution versus KEV inclusion status—also matters; as disclosure spreads, attack likelihood increases, justifying risk escalation in the near term.
Frequently asked questions
What happens if we get attacked by this vulnerability?
Attackers send many unauthenticated requests to your Hermes WebUI authentication endpoint. The server repeatedly writes challenge data to a file that grows without bound, consuming disk space and CPU. This slows down or stops legitimate users from logging in, disrupting your service. No attacker data exposure or account compromise occurs—just a denial of service.
Do we need to be authenticated to exploit this?
No. The vulnerability requires zero authentication. An attacker on the internet can start the attack immediately without any credentials or user interaction. This is why the attack surface is broad and the threat is significant.
Is there a patch available now?
Yes. Upgrade to Hermes WebUI version 0.51.270 or later according to the vendor advisory. Verify the exact version number and patch availability from your vendor before deployment. If immediate patching is not possible, implement rate limiting or IP allowlisting on the authentication endpoint to reduce exposure.
How can we detect if we are being attacked?
Watch for sudden increases in failed authentication requests from specific IPs, rapid growth of the challenge store file without successful logins, and unusual CPU or disk I/O spikes on your Hermes WebUI server. Set up alerts on these metrics and review authentication logs regularly, especially if you notice performance degradation.
This analysis is provided for informational purposes and reflects information available as of the publication and modification dates. Readers should verify all patch version numbers, affected product lists, and vendor guidance against official vendor advisories before making operational decisions. SEC.co does not warrant the completeness, accuracy, or applicability of this information to any specific environment. Always test patches in a controlled environment before production deployment. Consult with your vendor and security team for guidance specific to your deployment. This vulnerability analysis does not constitute legal advice or a guarantee of security. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-28237MEDIUMAMD uProf Resource Exhaustion Vulnerability – Patch Guidance
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-41710MEDIUMSpring Retry Cache Exhaustion Denial of Service
- CVE-2026-41851MEDIUMSpring Framework SpEL Denial of Service Vulnerability
- CVE-2026-44545MEDIUMDaphne WebSocket Denial of Service via Unlimited Payload Size