Hermes WebUI versions before 0.51.788 contain a critical unauthenticated remote code execution flaw tracked as CVE-2026-58123. The vulnerability stems from missing authentication on embedded terminal API endpoints, allowing a remote attacker to reach privileged functionality without logging in and execute arbitrary shell commands as the server process user. The issue has been classified as CWE-306 and carries high impact across confidentiality, integrity, and availability.
According to the advisory, exploitation requires four sequential unauthenticated HTTP requests: an attacker can create a terminal session, attach a PTY shell, and then send commands through the terminal input endpoint. A fix is available in version 0.51.788, with references pointing to a remediation commit, pull request, and release tag, and organizations running Hermes WebUI are exposed until they upgrade.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
A critical unauthenticated remote code execution vulnerability affecting Hermes WebUI versions before 0.51.788 was disclosed. The flaw allows remote attackers to access terminal API endpoints without credentials and execute arbitrary shell commands via four sequential unauthenticated HTTP requests.
Hermes WebUI version 0.51.788 was released with 'embedded-terminal access hardening.' This release appears to introduce the security fix for the later-disclosed unauthenticated RCE affecting versions before 0.51.788.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcevulncheck.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.