What happened
Hermes WebUI before 0.51.307 restricts onboarding endpoints to local-origin IPs, but the check trusts a client-supplied X-Forwarded-For header. An unauthenticated remote attacker can spoof a loopback address in this header to bypass the restriction, then perform SSRF against internal services (including cloud metadata endpoints), overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.
Why it matters
A self-hosted AI chat platform's entire trust boundary for sensitive onboarding/config endpoints collapses to a single spoofable HTTP header, letting a remote unauthenticated attacker pivot to cloud metadata SSRF and hijack the LLM provider configuration and stored credentials — a full compromise of the deployment's AI backend trust chain.
Attack vector
Unauthenticated request to onboarding endpoint with spoofed X-Forwarded-For: 127.0.0.1 header bypasses local-origin IP restriction, enabling SSRF and config/API-key overwrite
Affected systems
Hermes WebUI < 0.51.307
Mitigation
Upgrade to Hermes WebUI ≥0.51.307; do not trust client-supplied X-Forwarded-For for authentication decisions