External risk intelligence

Hermes WebUI Authentication Bypass via Spoofed Header

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58122

The vulnerability resides in a WebUI component that manages onboarding and configuration. Such web-based interfaces and management consoles are commonly deployed as internet-facing or externally reachable services, making them a likely target for remote network access.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Hermes WebUI allows unauthenticated remote attackers to bypass authentication controls. This could enable attackers to access internal services, modify sensitive configurations like API keys, or gain persistent access through token manipulation.

  • Unauthenticated access bypasses security controls.
  • Affects sensitive configurations and access tokens.
  • Confirm relevance and exposure to internal services.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a crafted request to the Hermes WebUI's onboarding endpoints. By manipulating the `X-Forwarded-For` header to include a loopback address, the attacker can bypass intended IP restrictions. This bypass allows them to then perform actions such as Server-Side Request Forgery (SSRF), which could lead to the modification of sensitive cloud configurations or the compromise of authentication mechanisms, potentially resulting in persistent access.

  • Unauthenticated network access required.
  • Spoofing `X-Forwarded-For` header triggers bypass.
  • Risks include SSRF and persistent access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated remote attackers to bypass local-origin IP restrictions and interact with internal services. Supported conditions include when the onboarding endpoints are exposed to the network and an attacker can spoof the `X-Forwarded-For` header with a loopback address. This could lead to server-side request forgery, manipulation of cloud metadata endpoints, or compromise of LLM provider configurations and API keys.

  • Server-side requests and configurations.
  • Spoofing `X-Forwarded-For` header.
  • Persistent access via token theft.

Operational Fix

Recommended remediation, mitigation, and detection steps

Hermes WebUI is likely managed by platform or infrastructure teams responsible for authentication and configuration services. The first critical step is to identify all instances of this WebUI, determine their exposure (especially internet-facing or internal network reachability), and confirm which team or application owns each deployment. Once identified, a risk-based remediation plan should be developed, prioritizing critical or exposed instances.

  • Platform or Infrastructure teams own the issue.
  • Verify all WebUI instances and exposure.
  • Plan risk-based remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Hermes WebUI?

Hermes WebUI is an interface component used for managing system onboarding and application settings. It often handles sensitive administrative tasks, such as configuring connections to LLM providers and managing API keys, making it a central control point for system operations.

What does CVE-2026-58122 mean?

This CVE identifies an authentication bypass vulnerability, classified as CWE-348. It means the software incorrectly trusts the origin of a request based on a header that can be easily faked. By manipulating specific network headers, an attacker can trick the system into thinking they are a local user, allowing them to access restricted features meant only for trusted internal connections.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a web request to the application's onboarding endpoints while injecting a spoofed 'X-Forwarded-For' header containing a loopback address. If the request does not include this specific header modification, the application's local-origin IP restrictions remain intact and the bypass does not occur.

Is my instance at risk?

Halo Surface Signal indicates a 'Likely' risk rating because this WebUI manages configuration and onboarding, which are often exposed to broader network segments. If your deployment is internet-facing or reachable by untrusted network actors, it is more susceptible to remote exploitation than a service isolated within a strictly secured, non-routable environment.

What should I do to address this issue?

Your first step is to conduct an inventory to locate all active Hermes WebUI instances within your environment. Once identified, evaluate the network accessibility of each instance. Prioritize patching or restricting network access for any deployments that are reachable from outside your internal trusted network boundaries.

References