{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/hermes/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-58122"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hermes WebUI \u003c 0.51.307"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","ssrf","web-vulnerability","credential-theft","persistence","cloud","network"],"_cs_type":"advisory","_cs_vendors":["Hermes"],"content_html":"\u003cp\u003eUnauthenticated remote attackers can exploit CVE-2026-58122, an authentication bypass vulnerability affecting Hermes WebUI versions prior to 0.51.307. This vulnerability allows attackers to circumvent local-origin IP restrictions on specific \u0026quot;onboarding endpoints\u0026quot; by manipulating the \u003ccode\u003eX-Forwarded-For\u003c/code\u003e HTTP header. By supplying a spoofed loopback address (e.g., 127.0.0.1) in this header, the attacker can deceive the application into believing the request originates from an internal, trusted source. This bypass facilitates server-side request forgery (SSRF), enabling attackers to interact with internal services, including sensitive cloud metadata endpoints. Successful exploitation can lead to critical consequences such as overwriting Large Language Model (LLM) provider configurations and API keys with attacker-controlled values, or initiating OAuth device-code flows to obtain persistent access tokens stored within the \u003ccode\u003eauth.json\u003c/code\u003e file.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker sends an HTTP request to a vulnerable Hermes WebUI server before version 0.51.307.\u003c/li\u003e\n\u003cli\u003eThe attacker targets specific \u0026quot;onboarding endpoints\u0026quot; within the Hermes WebUI application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the HTTP request to include a spoofed \u003ccode\u003eX-Forwarded-For\u003c/code\u003e header, setting its value to a loopback address (e.g., \u003ccode\u003e127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Hermes WebUI processes the spoofed header, bypassing its local-origin IP restrictions, and interprets the request as originating from a trusted internal source.\u003c/li\u003e\n\u003cli\u003eThe attacker then leverages this bypass to perform server-side request forgery (SSRF) against internal services accessible from the WebUI, including cloud metadata endpoints.\u003c/li\u003e\n\u003cli\u003eThrough the SSRF, the attacker can obtain sensitive cloud metadata or overwrite LLM provider configuration and API keys with values they control.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker can initiate OAuth device-code flows via SSRF to acquire persistent access tokens.\u003c/li\u003e\n\u003cli\u003eThese persistent access tokens are then stored in the \u003ccode\u003eauth.json\u003c/code\u003e file, granting the attacker persistent access to the compromised system or associated services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-58122 carries severe consequences, reflected in its CVSS v3.1 Base Score of 9.1. Attackers can gain unauthorized access to internal network resources and cloud environments. This includes the potential exfiltration of sensitive cloud metadata, compromise of LLM provider configurations, and theft of API keys, which can lead to further unauthorized access to services and data. The ability to acquire persistent access tokens stored in \u003ccode\u003eauth.json\u003c/code\u003e allows for long-term compromise and control over affected systems or associated third-party integrations, resulting in data breaches, service disruptions, and potentially complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-58122 by upgrading Hermes WebUI to version 0.51.307 or later immediately to remediate the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM solution to detect suspicious \u003ccode\u003eX-Forwarded-For\u003c/code\u003e header manipulation attempts targeting onboarding endpoints.\u003c/li\u003e\n\u003cli\u003eImplement Web Application Firewall (WAF) rules to inspect and filter \u003ccode\u003eX-Forwarded-For\u003c/code\u003e headers for suspicious loopback addresses or unusual patterns, especially for external-facing \u0026quot;onboarding endpoints.\u0026quot;\u003c/li\u003e\n\u003cli\u003eHarden internal network segregation and endpoint security to limit the impact of successful SSRF attacks, particularly by restricting access to cloud metadata endpoints and sensitive configuration files like \u003ccode\u003eauth.json\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T22:18:52Z","date_published":"2026-07-09T22:18:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-hermes-webui-auth-bypass/","summary":"CVE-2026-58122 describes an authentication bypass vulnerability in Hermes WebUI before version 0.51.307, allowing unauthenticated remote attackers to bypass local-origin IP restrictions on onboarding endpoints by spoofing the X-Forwarded-For header with a loopback address, leading to server-side request forgery (SSRF), API key overwrites, and persistent access token acquisition.","title":"CVE-2026-58122: Hermes WebUI Authentication Bypass via Spoofed X-Forwarded-For Header","url":"https://feed.craftedsignal.io/briefs/2026-07-hermes-webui-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Hermes","version":"https://jsonfeed.org/version/1.1"}