Skip to content

Instantly share code, notes, and snippets.

@YLChen-007

YLChen-007/CVE-2026-Discord-Mention-Bypass-Mattermost-Slack-ISSUE-REPORT.md Secret

Created April 24, 2026 09:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save YLChen-007/e90fb38ac03284176bae49898a3a46a4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save YLChen-007/e90fb38ac03284176bae49898a3a46a4 to your computer and use it in GitHub Desktop.
Download ZIP
Arbitrary Mass Mention Bypass in Slack and Mattermost Adapters
Raw
CVE-2026-Discord-Mention-Bypass-Mattermost-Slack-ISSUE-REPORT.md

Advisory Details

Title: Arbitrary Mass Mention Bypass in Slack and Mattermost Adapters

Description:

Summary

The Hermes Agent Slack and Mattermost platform adapters contain a dangerous output sanitization bypass. An unauthenticated or low-privileged attacker can manipulate the LLM agent via prompt injection into generating unescaped mass-ping mentions (e.g., <!everyone>, @all). These mentions bypass gateway-level sanitization and are passed verbatim to the external chat platforms, leading to unauthenticated notification exhaustion (Spam/DoS) directed at all workspace users.

Details

The root cause lies in how the SlackAdapter and MattermostAdapter process output generated by the LLM before forwarding it to the platform APIs:

  • Slack Adapter: In the format_message function, the code leverages a protective regular expression re.sub(r'(<(?:[@#!]|(?:https?|mailto|tel):)[^>\n]+>)', ...) to preserve valid links and entities from being broken. However, <everyone> and internal Slack-specific mass tags like <!everyone> exactly match this regex. As a result, they are inadvertently insulated from the formatter's escaping mechanisms and transported unmodified alongside mrkdwn=True to the Slack API, triggering a workspace-wide notification.
  • Mattermost Adapter: In the send method, the code directly assigns the LLM's text to the "message" field of the /posts API payload. By default, Mattermost will eagerly parse @all or @channel and execute a push notification to all channel participants. The implementation explicitly fails to apply "props": {"disable_mentions": True}—the documented requirement for preventing automated accounts from executing mass mentions.

Because LLM outputs are externally controllable via standard prompt interactions, an attacker can coerce the injection of these dangerous primitives into the trusted outgoing message.

PoC

Prerequisites

  • An active hermes-agent integrating the SlackAdapter or MattermostAdapter into an enterprise workspace.
  • The Agent bot must possess standard messaging permissions (e.g., chat:write).
  • The attacker must be able to influence the Agent's response context (e.g., through direct messaging or interacting in a shared channel).

Reproduction Steps

IMPORTANT: Do NOT embed full source code of PoC scripts directly in this report. Instead, each required script file has been uploaded as a secret GitHub Gist. Reference the Gist URL so that developers can download and run the scripts directly. The corresponding PoC files are available in the CVE-2026-Discord-Mention-Bypass-Mattermost-Slack-Variant-exp folder under the same directory as this report.

  1. Download the Exploit verification script from: poc_exploit.py
  2. Run the script: python poc_exploit.py. The mock environment validates that raw <!everyone> and @all payloads bypass the formatting layer and are transported intact across the HTTP network boundary.
  3. Observe the exploit output confirming the bypass success.
  4. Download the Control configuration to test secure (non-payload) handling at: control-normal_behavior.py
  5. Run the control script: python control-normal_behavior.py. Observe normal interactions proceed correctly without triggering warnings.

Log of Evidence

[SUCCESS] Mattermost VULNERABLE: Received ping 'LLM Agent says: @all please restart.' without disable_mentions=True
[SUCCESS] Slack VULNERABLE: Received ping 'LLM Agent says: <!everyone> look at this.' raw

[EXPLOITED-EXTERNAL] Successfully triggered mass mention in both Slack and Mattermost!

Impact

  • Impact Type: Social Engineering Denial of Service (Notification Exhaustion).
  • Affected Assets: All workspace participants using the associated chat platforms.
  • By utilizing prompt injection, an attacker can repetitively coerce the Agent into sending <!everyone> and @all. This results in severe and continuous interruption via high-priority audio/visual push notifications forced onto thousands of enterprise employees' mobile and desktop environments, circumventing individual mute settings and heavily degrading workspace productivity.

Affected products

  • Ecosystem: python
  • Package name: hermes-agent
  • Affected versions: <= 2026.4.16
  • Patched versions:

Severity

  • Severity: Medium
  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Weaknesses

  • CWE: CWE-116: Improper Encoding or Escaping of Output
  • CWE: CWE-20: Improper Input Validation

Occurrences

Permalink Description
https://github.com/NousResearch/hermes-agent/blob/v2026.4.16/gateway/platforms/slack.py#L487-L491 The protective regex inadvertently shields strings like <!everyone>, bypassing subsequent output sanitization.
https://github.com/NousResearch/hermes-agent/blob/v2026.4.16/gateway/platforms/mattermost.py#L269-L276 The JSON payload construction explicitly omits adding "props": {"disable_mentions": True}, leaving @all tags dangerous.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment