CVE-2026-55197

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.443

Description Broken access control in the '/api/session' endpoint allows authenticated users to disclose cross-profile session transcripts. By directly querying session IDs belonging to other profiles using the GET '/api/session?session id=&messages=1' request, attackers can bypass profile boundary checks to retrieve unauthorized conversation transcripts and metadata via the session id variable.

Recommendations Update to version 0.51.443 or later. As a temporary workaround, restrict access to the '/api/session' endpoint to minimize the risk of unauthorized data disclosure.