External risk intelligence

Hermes WebUI Improper Access Control Allows Password Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-49973

An improper access control vulnerability in Hermes WebUI allows unauthenticated remote attackers to hijack initial setup by setting an arbitrary password. This can lead to unauthorized session access and lockout of legitimate operators. The vulnerability's relevance and exposure to business operations should be confirm

4Halo Surface Signal

Missing Authentication

External exposure likelihood

Halo Surface Signal score for CVE-2026-49973

The vulnerability affects a WebUI and its associated API endpoint, which are typically deployed as internet-facing services. Because the flaw allows unauthenticated interaction with a setup configuration endpoint, it represents an externally reachable management surface that is commonly exposed in web application deployments.

PCI scan relevance

PCI Relevance for CVE-2026-49973

Yes

CVE-2026-49973 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated remote attackers to hijack initial setup by submitting a crafted parameter, which could lead to an ASV scan failure due to the improper access control.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the Hermes WebUI that allows unauthenticated remote attackers to hijack the initial setup process. This could enable an attacker to set an arbitrary password, gain session access, and lock out legitimate operators from their own instance. The main concern is confirming relevance and exposure to business operations.

  • Attackers can reset passwords during setup.
  • This compromises initial system access and control.
  • Confirm relevance and exposure to operations.

Attack Path

How an attacker could exploit the issue

An attacker on any network can target the initial setup of Hermes WebUI by sending a special request to its settings API. This request can set an arbitrary password, allowing the attacker to gain access and lock out the legitimate user during the critical first-run configuration.

  • Unauthenticated remote network access.
  • Submitting _set_password parameter to settings API.
  • Password takeover and legitimate user lockout.

Live Threat

Current exploitation, exposure, and threat context

During the initial setup phase, an unauthenticated attacker could exploit this vulnerability to hijack the system by submitting an arbitrary password hash to the settings API. This action could allow them to gain a valid session cookie and lock out the legitimate operator.

  • System configuration and operator access.
  • Unauthenticated API interaction during setup.
  • Unauthorized control and operator lockout.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects the initial setup of Hermes WebUI, making it critical for teams managing this application to identify all instances, assess their reachability, and determine business criticality. The first practical step is to locate all deployments and confirm their ownership to plan a coordinated remediation.

  • Application owners should manage the issue.
  • Verify initial setup access controls first.
  • Plan remediation based on exposure.

Frequently asked questions

What is Hermes WebUI?

Hermes WebUI is a software interface used to manage and configure application settings through a browser. It often acts as a control panel for underlying services, providing an API to handle administrative tasks like user authentication and initial system setup.

What does CWE-306 mean for CVE-2026-49973?

CWE-306 refers to 'Missing Authentication for Critical Function.' In the context of CVE-2026-49973, it means the software performs a sensitive security operation—setting an administrator password—without first verifying the identity of the person making the request. This allows anyone who can reach the setup endpoint to dictate the system's access credentials.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted POST request to the settings API endpoint during the software's initial first-run configuration window. The vulnerability does not apply to instances that have already passed the initial setup phase or to requests that do not specifically target the _set_password parameter.

Is my instance of Hermes WebUI at risk?

Halo Surface Signal indicates that because this vulnerability involves an API endpoint and a WebUI, instances reachable over the internet are highly exposed. You should consider any installation that is not restricted to a private, trusted network as potentially vulnerable if it has not been updated.

What steps should I take if I use Hermes WebUI?

You should first locate all active deployments of the software in your environment. Confirm which instances are currently in the initial setup phase or are accessible via a network. Prioritize updating these installations to version 0.51.358 or later, as this release resolves the improper access control in the settings API.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified