Description
A security vulnerability has been detected in NousResearch hermes-agent up to 0.15.2. This affects the function DiscordAdapter._is_allowed_user of the file gateway/platforms/discord.py of the component Discord Platform Integration. Such manipulation leads to improper authentication. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-07-04
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the DiscordAdapter._is_allowed_user function of NousResearch Hermes-agent up to version 0.15.2. It allows remote attackers to bypass the normal authentication checks performed when the bot receives a request from Discord, potentially granting unauthorized users the ability to execute privileged commands or otherwise abuse the bot’s functionality. This could lead to unauthorized access to bot capabilities, data leakage, or service disruption.

Affected Systems

The affected product is NousResearch Hermes-agent. All versions up to and including 0.15.2 are vulnerable. Upgrades to newer releases that incorporate the fix are necessary to protect systems using this integration.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and no EPSS score is available, so the exploit probability is undetermined. The vulnerability can be exploited remotely, but it is reported as having high complexity and difficult exploitability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to craft a malicious request that deceives the bot into accepting an unauthenticated user as valid, which requires knowledge of the Discord integration path but does not require local system access.

Generated by OpenCVE AI on July 5, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hermes-agent to a version newer than 0.15.2 that includes the authentication fix.
  • If an upgrade is not immediately possible, limit the bot’s permissions or disable the Discord platform integration until a patch is applied.
  • Implement logging and monitoring of Discord command invocations to detect any unauthorized usage and review the bot’s authentication logic to enforce stricter checks.

Generated by OpenCVE AI on July 5, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in NousResearch hermes-agent up to 0.15.2. This affects the function DiscordAdapter._is_allowed_user of the file gateway/platforms/discord.py of the component Discord Platform Integration. Such manipulation leads to improper authentication. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title NousResearch hermes-agent Discord Platform Integration discord.py DiscordAdapter._is_allowed_user improper authentication
First Time appeared Nousresearch
Nousresearch hermes-agent
Weaknesses CWE-287
CPEs cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*
Vendors & Products Nousresearch
Nousresearch hermes-agent
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Nousresearch Hermes-agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T12:45:06.333Z

Reserved: 2026-07-03T17:07:50.732Z

Link: CVE-2026-14627

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses