Top/Articles/Popular AI Agent UI 'Hermes WebUI' Server-Takeover Flaw CVE-2026-58123 — No Password Needed, Plus API-Key Theft; Update Now
hermes-webui-cve-cover-en

Popular AI Agent UI 'Hermes WebUI' Server-Takeover Flaw CVE-2026-58123 — No Password Needed, Plus API-Key Theft; Update Now

A flaw (CVE-2026-58123, severity 9.8) in the popular tool Hermes WebUI—which runs your own AI agent from a browser (15,000+ GitHub stars)—lets attackers take over the server with no password. A second flaw, CVE-2026-58122, strips out paid LLM API keys and messaging credentials. Fixes are out for both, and updating to the latest stops them. We explain the scope and the fix.

NewsPublished July 10, 2026 Updated today
Table of contents
Key takeaways

A flaw (CVE-2026-58123, severity 9.8) in the popular tool Hermes WebUI—which runs your own AI agent from a browser (15,000+ GitHub stars)—lets attackers take over the server with no password. A second flaw, CVE-2026-58122, strips out paid LLM API keys and messaging credentials. Fixes are out for both, and updating to the latest stops them. We explain the scope and the fix.

The popular tool that lets you run your own personal AI agent on your own server and operate it from a browser or phone, "Hermes WebUI," has a serious flaw that lets the server be taken over without entering any password at all. Tracked as CVE-2026-58123, its severity is a top-tier 9.8 out of 10. Hermes WebUI has gathered over 15,000 stars on GitHub and is a fast-spreading self-hosted AI agent platform.

Disclosed at the same time is a second flaw (CVE-2026-58122, severity 9.1). This one impersonates "access from itself" to pry open internal-only features and strip out the paid API keys for LLMs and the login credentials for messaging integrations. Both can be exploited without authentication, and the more you expose Hermes WebUI to the internet, the more dangerous it is. Fortunately, fixes are already out for both, and updating to the latest version stops them. If you run Hermes WebUI yourself, check your version right now instead of putting it off.

What is Hermes WebUI?

Hermes WebUI is a web screen for using "Hermes Agent," the autonomous AI agent published by the AI company Nous Research, from a browser or phone. An AI agent is an AI that, when given an instruction, works out the steps itself and progresses through the task while using tools. Hermes in particular sells itself on keeping conversational memory for a long time, banking procedures it has learned, and handling scheduled jobs around the clock even while you sleep. Being able to have a dedicated AI assistant without writing code has made it popular, mainly among developers.

What matters here is that Hermes WebUI holds a great many "keys" and "gateways." To run it, you register the API keys for LLMs from OpenAI, Anthropic, Google, DeepSeek and others (usage passes that incur a charge each time they are used). It can also integrate with multiple contact channels such as Telegram, Slack, Signal, and email, and their login information (authentication credentials called OAuth tokens) is stored in an internal file. On top of that, it even includes a "terminal" feature that can run commands on the server. In other words, having Hermes WebUI taken over means that hijacking your AI usage charges, taking over linked messaging accounts, and seizing the server itself can all happen at once.

Problems where an AI agent is taken over merely by opening a web page or exposing an admin screen have been coming one after another in this field. The flaw where the coding-assistant AI 'Cline' is hijacked just by opening a malicious site and the flaw where Langflow's AI agent is taken over just by opening a page share the same underlying shape.

What is the danger, and how much can be stolen?

The two issues bring damage in different directions: "takeover" and "key theft." The 9.8 CVE-2026-58123 in particular left the entrance to Hermes WebUI's built-in terminal feature reachable from outside without any password check. An attacker can run any command on the server without logging in at all. This is called remote code execution (RCE) and is among the heaviest classes of vulnerability. Stealing, altering, or deleting data on the server, or using it as a stepping stone into other systems, becomes, in principle, freely possible.

The other, the 9.1 CVE-2026-58122, pries open the initial-setup gateway that should only be reachable "from within the same server" by spoofing the access source. Struck here, the registered LLM API keys and the OAuth tokens for linking with Telegram, Slack and the like are stolen. If the API keys are stolen, an attacker can run up LLM usage as a "free ride" on your bill, leading to charges you never made. If the messaging credentials are handed over too, it can spread to takeover of the linked accounts.

What both share is that no authentication (password or login) is needed at all, and no action by the user is required. If you have placed Hermes WebUI somewhere reachable from the internet, you can be targeted indiscriminately the moment a program automatically roaming the net finds it. The combination of low attack difficulty and large assets held is what makes these two especially dangerous.

Who targets this hole, and what happens?

The likely exploiters are attackers who automatically scan the whole net to find AI tools' admin screens, and "LLMjacking" crews that run up LLMs on other people's bills with stolen API keys. Because AI agents hold expensive LLM usage passes and cloud keys, they are a high-value target that can be efficiently converted to cash.

The attack flow is almost anticlimactically simple. The attacker sends commands directly to the terminal feature of an exposed Hermes WebUI without entering any password, and runs whatever program they like on the server. In the other technique, they slip a false marker of "I am accessing from within the same server" into the traffic, pry open the internal-only settings screen, and walk off with the ring of keys. Neither requires any fault or click on the victim's side.

As a result, individuals and small teams who set up and use Hermes WebUI themselves can simultaneously suffer having their AI usage fees devoured, their linked messaging accounts hijacked, and personal data or source code on the server stolen. The 24/7 personal AI they entrusted things to for convenience turns, wholesale, into the attacker's tool. The pattern where the more powerful the privileges and keys entrusted to an AI agent, the larger the damage, has also been pointed out in the flaws in the AI-agent terminal Warp.

A technical look at what is happening

The two strike in different places. Each has its own identifier assigned.

CVE-2026-58123: Commanding directly from the "terminal gateway" with no password check

Hermes WebUI has a built-in terminal feature that can run commands on the server, and its exchanges go through an internal API gateway. This gateway was supposed to be guarded so only logged-in legitimate users could use it. But this terminal API lacked an authentication (identity-verification) mechanism and was in a state where anyone outside could hit it. The U.S. National Institute of Standards and Technology (NIST) classifies this as missing authentication for a critical function (CWE-306).

The attack succeeds by sending just four requests in sequence: first create a terminal session, assign a pseudo operation screen (a PTY shell), and finally pour a command into the gateway that receives terminal input. With this, an arbitrary command executes with the privileges of the user running the server. No special tools and no stolen credentials are needed. The 9.8 severity reflects this "seize the server with no preconditions" point. The vendor fixed it by imposing authentication on the terminal API, resolving it in version 0.51.788.

CVE-2026-58122: Impersonating "access from itself" to pry open internal-only features

For safety, Hermes WebUI's initial-setup (onboarding) gateway carried a restriction of "only accept access from within the same server (loopback, i.e. 127.0.0.1)." But that judgment took at face value the value of the "X-Forwarded-For" header that accompanies traffic to indicate the sender, so an attacker could impersonate "access from itself" merely by writing 127.0.0.1 into that header and sending it. NIST classifies this as making a decision based on untrusted information (CWE-348).

Prying open the internal-only gateway with this impersonation, the attacker can make the server communicate with another server (an abuse called SSRF), and can also hijack the registered LLM provider settings and API keys, and steal OAuth tokens from the file that stores credentials (auth.json). In other words, the "ring of keys" Hermes WebUI held leaks out all at once. The vendor fixed it so the header is no longer taken at face value, resolving it in version 0.51.307. To be sure of closing both, updating to the newer 0.51.788 or later is the reliable move.

Hermes WebUI has repeated unauthenticated holes

These two are not a one-off accident. Over the past few months, Hermes WebUI has been pointed out again and again for flaws where critical functions can be hit without authentication. In June, for example, a flaw that exploited a gap in the initial setup to set a password at will and lock the rightful owner out of their own server (CVE-2026-49973, severity 9.4) was disclosed and fixed in 0.51.358.

Alarmed by the sheer number, the U.S. Cloud Security Alliance (CSA) even put out a note titled "9 CVEs in 4 Days." The CSA points out that these flaws are rooted in the design itself rather than being individual typos. Its point: "the core capabilities that make these frameworks valuable — long-lived memory, broad tool access, skill installation at runtime, multi-provider credential integration, prompt-driven execution — are precisely the capabilities that expand the attack surface." Because the convenience and the danger come from the same root, frequent updates and settings biased toward safety are essential.

Affected versions and the fixed versions

The two have different fixed versions. To close both for sure, update to the newer 0.51.788 or later (the latest as of publication is v0.52.0). The table below lets you locate where your version stands.

IdentifierWhat it doesAffected versionsFixed in
CVE-2026-58123
(9.8)
Runs commands with no password
via the terminal gateway
Before 0.51.7880.51.788
CVE-2026-58122
(9.1)
Spoofs the access source to
steal API keys and OAuth tokens
Before 0.51.3070.51.307
Close bothTo fix them together0.51.788 or later
(latest v0.52.0)

Hermes WebUI is also distributed as a Docker image, so if you run it with Docker, swap the image for the latest and restart. Because this is a project whose versions update at a dizzying pace, setting up an auto-update mechanism where possible makes it harder to be left behind when the next flaw appears.

The timeline so far

← Swipe to move

The fixes were released first, and the vulnerability details were organized and disclosed afterward. Looking at the release history, the update frequency is very high, so instances left stopped on old versions risk still carrying several holes at once.

What is confirmed and what is still unknown

✓ Confirmed facts

  • CVE-2026-58123 (9.8) hits the terminal API without authentication and runs arbitrary commands on the server (NVD)
  • CVE-2026-58122 (9.1) steals API keys and OAuth tokens by spoofing the access source (NVD)
  • The fixes are 0.51.788 (58123) and 0.51.307 (58122), and the latest is v0.52.0 (GitHub)

? Not yet confirmed

  • ?As of publication, there is no official report that these two have been used in real attacks
  • ?They are not, as of publication, on the U.S. CISA "Known Exploited Vulnerabilities (KEV)" catalog of attacks confirmed in the wild (the latest KEV status can be checked here)
  • ?How many Hermes WebUI instances are left exposed on the internet is not clear as of publication

What you can do right now

The direction is clear. The top priority is to update Hermes WebUI to 0.51.788 or later (ideally the latest v0.52.0). Check the latest version on the GitHub release history, and if you run it with Docker, swap the image and restart.

Alongside that, we strongly recommend not exposing Hermes WebUI directly to the internet in the first place. Running it only within your home or office network, or inside a VPN, removes it from the target list of indiscriminate external scanning. Even if exposure is necessary, you should put login authentication or source restrictions in front of it. Furthermore, considering that keys may have been stolen before you updated, reissuing (rotating) your registered LLM API keys and the tokens for linked messaging services stops abuse should they have leaked.

More fundamentally, it helps to narrow the privileges and keys given to an AI agent to the bare minimum, and where possible to run it isolated in something like a container. Incidents where AI tools with strong privileges are taken over keep happening, and the same caution becomes necessary with other tools too — as with the flaw in the AI agent 'AutoGPT'.

What to doPurposePriority
Update to 0.51.788+Fundamentally close both holesTop
Do not expose to the netDrop off the indiscriminate scan listHigh
Reissue API keys / tokensStop abuse of already-leaked keysHigh

Frequently asked questions

Q. Is it dangerous even if I do not expose it to the net and use it only on my home PC?

A. In an environment not directly reachable from the internet, the risk of indiscriminate external attack drops considerably. However, it can still be abused if the same network is breached, or if someone enters your office/home network by another route. Regardless of whether it is exposed, updating to the latest version is the reliable move.

Q. If my API key is stolen, what specific harm results?

A. An LLM API key is a "usage pass" that incurs a charge each time it is used. If stolen, an attacker can run LLMs en masse on your contract, leading to charges you never made. This technique is called "LLMjacking." If tokens for linked messaging services are stolen too, it can spread to takeover of those accounts. After updating, consider reissuing your keys.

Q. Is it already being exploited?

A. As of this article, there is no confirmed official report of these two being used in real attacks, and they are not on CISA's Known Exploited Vulnerabilities (KEV) catalog. That said, Hermes WebUI has been pointed out for unauthenticated flaws repeatedly in a short span, and the techniques are simple, so it is safer to finish updating before exploitation begins.

Q. Where can I check my Hermes WebUI version?

A. You can check it in the admin screen's settings or version display, or by the tag of the Docker image you run. Compare it with the latest version on the GitHub release history; if it is older than 0.51.788, an update is needed. Because this is a project whose versions rise frequently, making a habit of checking periodically is the safe course.

In summary

This case is about how, behind the convenience of having your own personal AI agent, the size of the ring of keys and privileges the tool holds translates directly into the size of the damage. CVE-2026-58123 takes over the server with no password, and CVE-2026-58122 strips out the registered API keys and messaging credentials. That unauthenticated flaws keep recurring in a short span, in a popular tool with 15,000-plus stars, is not to be overlooked either.

The saving grace is that fixes are already out for both. Update to 0.51.788 or later, do not expose it directly to the net, and reissue any keys that may have been stolen. These three prevent most of the damage. For AI tools entrusted with strong privileges, it is best to make frequent updates a habit, on the premise that convenience and danger come from the same root. We will report again if new signs of exploitation emerge.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django