Hermes WebUI < 0.51.269 Profile Isolation Bypass via sessions search
CVE-2026-49956

7.1HIGH

Key Information:

Vendor: Nesquena
Status: Hermes-webui
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-49956?

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.

Affected Version(s)

hermes-webui 0

References

https://github.com/nesquena/hermes-webui/releases/tag/v0....

release-notes

https://github.com/nesquena/hermes-webui/pull/3646

technical-description

https://github.com/nesquena/hermes-webui/pull/3672

issue-tracking

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

Chia Min Jun Lennon

CVE-2026-49956 Data

JSON

Nesquena

What is CVE-2026-49956?

Affected Version(s)

References

CVSS V4

Timeline

Credit