CVE-2026-58122 is an authentication bypass vulnerability affecting Hermes WebUI before version 0.51.307. The flaw exists in onboarding endpoints that rely on local-origin IP restrictions for access control and improperly trust the X-Forwarded-For header when determining whether a request originates from localhost. An unauthenticated remote attacker can supply a spoofed X-Forwarded-For value containing a loopback address to bypass the intended restriction and reach functionality that should be limited to local access. Once this trust boundary is bypassed, the exposed onboarding functionality can be abused to trigger server-side request forgery against internal services, including cloud metadata services, alter LLM provider configuration and associated API credentials to attacker-controlled values, and initiate OAuth device-code authorization flows that result in persistent access tokens being stored on the system.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.