Vendor
CVE-2026-58122 describes an authentication bypass vulnerability in Hermes WebUI before version 0.51.307, allowing unauthenticated remote attackers to bypass local-origin IP restrictions on onboarding endpoints by spoofing the X-Forwarded-For header with a loopback address, leading to server-side request forgery (SSRF), API key overwrites, and persistent access token acquisition.