CVE-2026-55196

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.409

Description An authentication bypass exists in passkey registration endpoints. When HERMES WEBUI PASSKEY=1 is enabled and no credentials exist, unauthenticated remote attackers can register arbitrary passkeys. This occurs because the endpoints 'POST /api/auth/passkey/register/options' and 'POST /api/auth/passkey/register' are accessible without authentication, potentially allowing an attacker to claim the first passkey and obtain permanent administrative control.

Recommendations Update to version 0.51.409 or later.