CVE-2026-49955
5.3 MEDIUMHermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade...
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-770
Description
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49955
- [Other]https://github.com/nesquena/hermes-webui/commit/58528a4d88b0fa4f7b822e31d6051c669769bd3b
- [Other]https://github.com/nesquena/hermes-webui/pull/3624
- [Other]https://github.com/nesquena/hermes-webui/pull/3674
- [Other]https://github.com/nesquena/hermes-webui/releases/tag/v0.51.270
- [Other]https://www.vulncheck.com/advisories/hermes-webui-resource-exhaustion-via-passkey-options
Related CVEs
Same CWE
- CVE-2026-24720 — An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6
- CVE-2026-41726 — When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with uniqu... (6.5 MEDIUM)
- CVE-2026-41716 — Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhau... (7.5 HIGH)
- CVE-2026-28237 — Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of ...
- CVE-2026-42570 — Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job (7.5 HIGH)