What happened
hermes-agent's Discord platform integration contains an improper authentication flaw in its allow-list check, letting unauthorized Discord users bypass the intended access restriction. Published to NVD July 4, 2026, CVSS 5.6 (Medium).
Why it matters
Any unauthorized user able to interact with the agent bypasses the operator's intended access boundary, potentially triggering privileged agent actions or accessing conversation context meant to be restricted to allow-listed users.
Attack vector
The DiscordAdapter._is_allowed_user function in gateway/platforms/discord.py improperly authenticates callers, allowing unauthorized users on a connected Discord platform integration to interact with the agent as if allow-listed.
Affected systems
NousResearch hermes-agent ≤ 0.15.2
Mitigation
No confirmed fixed version; restrict/audit Discord integration allow-lists pending patch from NousResearch.