Vulnerability  ·  2026-07-05

NousResearch hermes-agent — Discord Platform Adapter Authentication Bypass

VulnerabilityMedium impactGlobalCVE-2026-14627
hermes-agent's Discord platform integration contains an improper authentication flaw in its allow-list check, letting unauthorized Discord users bypass the intended access restriction. Published to NVD July 4, 2026, CVSS 5.6 (Medium).
Any unauthorized user able to interact with the agent bypasses the operator's intended access boundary, potentially triggering privileged agent actions or accessing conversation context meant to be restricted to allow-listed users.
The DiscordAdapter._is_allowed_user function in gateway/platforms/discord.py improperly authenticates callers, allowing unauthorized users on a connected Discord platform integration to interact with the agent as if allow-listed.
NousResearch hermes-agent ≤ 0.15.2
No confirmed fixed version; restrict/audit Discord integration allow-lists pending patch from NousResearch.
NVD - CVE-2026-14627
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →