NousResearch Hermes-Agent Slack and Mattermost Output Sanitization Bypass Vulnerability

A vulnerability exists in NousResearch Hermes-Agent versions through 2026.4.16, specifically within the Slack and Mattermost adapters. This issue involves an output sanitization bypass that allows an attacker to manipulate the agent into sending unescaped mass mentions, such as `<!everyone>` or `@all`, directly to external chat platforms. The vulnerability can be exploited remotely, leading to a denial-of-service condition by causing notification exhaustion for all users in a workspace.

Impact

Exploitation of this vulnerability allows for an arbitrary mass mention bypass, causing notification exhaustion directed at all users in a Slack or Mattermost workspace. This results in a significant disruption of communication, as high-priority notifications are forced to all channel participants, bypassing individual mute settings and causing a considerable drain on productivity.

Reproduction

To reproduce this vulnerability, an active Hermes-Agent integration with either the Slack or Mattermost adapter is required. The agent must have standard messaging permissions, and the attacker must be able to influence the agent's response context. Once these conditions are met, the vulnerability can be exploited by injecting prompt responses that include the unescaped mass mention tags, which will then be sent to the chat platform without proper sanitization.