H3-2026-1011¶
Hermes WebUI Unauthenticated Embedded Terminal Remote Code Execution Vulnerability
| Category | VULNERABILITY |
| Base Score | 9.8 |
Description¶
Hermes WebUI exposes embedded terminal endpoints (/api/terminal/start, /api/terminal/input, /api/terminal/output, and related paths) that spawn and drive a PTY shell, executing arbitrary commands as the server process user. The root cause is a missing authentication check: When WebUI authentication is not configured, which is the default out-of-the-box state, the check_auth() function admits every caller unconditionally. Remote attackers with network access to the WebUI port can open a terminal session and inject arbitrary shell commands. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and affects all instances running without a configured password or passkey.
Impact¶
Successful exploitation grants full command execution, as the server process user, on any network-exposed passwordless instance. Attackers can exfiltrate data, establish persistence, and pivot laterally across the network. Default installations are vulnerable without any configuration changes, broadening the exposed attack surface. Organizations using Hermes WebUI in development or CI/CD environments face elevated risk.