Vulnerability  ·  2026-07-11

Hermes WebUI — Unauthenticated Remote Code Execution via Terminal API (CVSS 9.8)

VulnerabilityHigh impactGlobalCVE-2026-58123
Hermes WebUI versions before 0.51.788 expose embedded terminal API endpoints without any authentication check, allowing a remote unauthenticated attacker to reach privileged terminal functionality and execute arbitrary shell commands as the server process user.
Combined with the related auth-bypass CVE-2026-58122 disclosed the same week, this gives an unauthenticated remote attacker full shell access on any exposed Hermes WebUI instance — a self-hosted AI assistant platform — representing complete host compromise with no prerequisites.
Unauthenticated HTTP request directly to embedded terminal API endpoint executes arbitrary shell commands
Hermes WebUI < 0.51.788
Upgrade to Hermes WebUI ≥0.51.788
Mallory.ai
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →