Resource Exhaustion Vulnerability in Hermes WebUI by Nesquena
CVE-2026-55205

6.9MEDIUM

Key Information:

Vendor

Nesquena

Status
Hermes-webui
Vendor
CVE Published:
18 June 2026

What is CVE-2026-55205?

The Hermes WebUI, prior to version 0.51.468, is susceptible to a resource exhaustion vulnerability via the unauthenticated POST /api/onboarding/oauth/start endpoint. This flaw allows attackers to flood the server with repeated or concurrent requests, leading to significant in-memory flow state and daemon thread accumulation. Consequently, this can result in the exhaustion of server memory and thread resources, prompting excessive outbound device-code requests to upstream OAuth providers. Addressing this vulnerability is crucial to maintaining server integrity and performance.

Affected Version(s)

hermes-webui 0 < 0.51.468

hermes-webui 0.51.468

References

https://github.com/nesquena/hermes-webui/releases/tag/v0....
release-notes
https://github.com/nesquena/hermes-webui/pull/3970
technical-description
https://github.com/nesquena/hermes-webui/pull/4338
issue-tracking

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.