CVE-2026-49956
CWE-862Published: June 9, 2026· Updated: Jun 9, 2026
Official Description
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.
Technical Analysis
CVE-2026-49956 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 6.5.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (6)
Quick Facts
Related CVEs (CWE-862)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-49956 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts