CVE-2026-49956
Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
09/06/2026
Descripción
*** Pendiente de traducción *** Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.
Impacto
Puntuación base 4.0
7.10
Gravedad 4.0
ALTA
Puntuación base 3.x
6.50
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/nesquena/hermes-webui/commit/2c7b530071bb29ae4184e83e33be5799d529568e
- https://github.com/nesquena/hermes-webui/pull/3646
- https://github.com/nesquena/hermes-webui/pull/3672
- https://github.com/nesquena/hermes-webui/releases/tag/v0.51.269
- https://www.vulncheck.com/advisories/hermes-webui-profile-isolation-bypass-via-sessions-search
- https://github.com/nesquena/hermes-webui/pull/3646



