External risk intelligence

Hermes WebUI Passkey Registration Authentication Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-55196

An authentication bypass vulnerability in Hermes WebUI allows unauthenticated remote attackers to register arbitrary passkeys when a specific configuration is enabled, potentially leading to permanent administrative control. This issue is relevant if your environment uses Hermes WebUI and its passkey feature is configu

Missing Authentication

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WebUI and its associated API endpoints, which are common components of internet-facing web applications. Because these interfaces are frequently exposed to the public internet to provide remote accessibility, the vulnerable surface is commonly reachable in real-world deployments.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Hermes WebUI allows unauthenticated attackers to register passkeys, potentially granting them administrative control if specific configuration settings are enabled. The main concern is confirming if your environment utilizes this specific technology and is configured in a way that exposes this risk.

  • Attackers can register admin keys without logging in.
  • Prevents unauthorized administrative control of systems.
  • Confirm if this technology is in use and properly configured.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit this vulnerability by accessing specific API endpoints when the HERMES_WEBUI_PASSKEY setting is enabled and no prior credentials exist. This allows the attacker to register an arbitrary passkey, effectively taking over administrative control of the system.

  • Unauthenticated remote network access.
  • Registering passkeys via specific API endpoints.
  • Permanent administrative control of the system.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated remote attackers to register arbitrary passkeys when a specific configuration setting is enabled and no prior credentials exist. This could lead to attackers gaining permanent administrative control over the affected system.

  • Administrative control of the system.
  • Unauthenticated remote passkey registration.
  • Permanent administrative takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the Hermes WebUI, likely managed by platform or application teams. The first practical step is to identify all Hermes WebUI instances, determine their external reachability and business criticality, and locate the accountable owner before planning remediation.

  • Platform or application teams own remediation.
  • Verify external reachability and criticality.
  • Plan remediation based on assessed risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-55196 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated remote attackers to register arbitrary passkeys, which could lead to a PCI ASV scan failure due to authentication bypass.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Hermes WebUI?

Hermes WebUI is a management interface used to control and configure services within a software environment. It often includes API endpoints that handle user authentication and security features like passkeys, allowing administrators to manage system access remotely through a browser-based dashboard.

How does CVE-2026-55196 work?

This vulnerability is an authentication bypass, classified under CWE-306 for missing authentication for a critical function. Because the registration process fails to verify if a user is authorized, an unauthenticated attacker can call specific API endpoints to register their own passkey, effectively granting them permanent administrative rights over the system.

When does this vulnerability pose a risk?

The risk is present only when the HERMES_WEBUI_PASSKEY configuration is enabled and the system has no existing credentials. If you have already set up legitimate credentials for the application, or if the passkey feature is disabled, the specific attack path described in this CVE is not applicable.

Is my Hermes WebUI instance at risk?

Halo Surface Signal indicates that because this vulnerability involves web-based API endpoints, it is highly likely to be reachable if your instance is exposed to the internet. You should determine if your specific deployment allows public network access to these administrative endpoints, as this increases the likelihood that an attacker could reach the vulnerable registration process.

What should I do to address this issue?

Start by identifying all deployed instances of Hermes WebUI in your infrastructure. Coordinate with the relevant platform or application owners to confirm their current configuration, verify if they are accessible from the internet, and prepare to update the software to version 0.51.409 or later to secure the authentication process.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished