Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability in the Hermes WebUI allows unauthenticated remote attackers to bypass authentication controls. This could enable attackers to access internal services, modify sensitive configurations like API keys, or gain persistent access through token manipulation.
- Unauthenticated access bypasses security controls.
- Affects sensitive configurations and access tokens.
- Confirm relevance and exposure to internal services.
Attack Path
How an attacker could exploit the issue
An attacker could exploit this vulnerability by sending a crafted request to the Hermes WebUI's onboarding endpoints. By manipulating the `X-Forwarded-For` header to include a loopback address, the attacker can bypass intended IP restrictions. This bypass allows them to then perform actions such as Server-Side Request Forgery (SSRF), which could lead to the modification of sensitive cloud configurations or the compromise of authentication mechanisms, potentially resulting in persistent access.
- Unauthenticated network access required.
- Spoofing `X-Forwarded-For` header triggers bypass.
- Risks include SSRF and persistent access.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow unauthenticated remote attackers to bypass local-origin IP restrictions and interact with internal services. Supported conditions include when the onboarding endpoints are exposed to the network and an attacker can spoof the `X-Forwarded-For` header with a loopback address. This could lead to server-side request forgery, manipulation of cloud metadata endpoints, or compromise of LLM provider configurations and API keys.
- Server-side requests and configurations.
- Spoofing `X-Forwarded-For` header.
- Persistent access via token theft.
Operational Fix
Recommended remediation, mitigation, and detection steps
Hermes WebUI is likely managed by platform or infrastructure teams responsible for authentication and configuration services. The first critical step is to identify all instances of this WebUI, determine their exposure (especially internet-facing or internal network reachability), and confirm which team or application owns each deployment. Once identified, a risk-based remediation plan should be developed, prioritizing critical or exposed instances.
- Platform or Infrastructure teams own the issue.
- Verify all WebUI instances and exposure.
- Plan risk-based remediation.