CVE-2026-9354: Arbitrary Mass Mention Bypass in NousResearch hermes-agent Slack and Mattermost Adapters

The hermes-agent software facilitates communication between local Large Language Models and enterprise chat platforms. The agent operates platform-specific adapters to format and transmit LLM-generated output to Slack and Mattermost workspaces. Vulnerability CVE-2026-9354 exists within these adapters due to insufficient sanitization of platform-specific mention syntax.

The Slack adapter (gateway/platforms/slack.py) and the Mattermost adapter (gateway/platforms/mattermost.py) fail to neutralize mass-ping keywords. This failure allows the agent to issue workspace-wide notifications. The vulnerability is classified under CWE-116 (Improper Output Neutralization) for Slack and CWE-20 (Improper Input Validation) for Mattermost.

Unauthenticated remote attackers can exploit this via indirect prompt injection. By supplying malicious text that the LLM processes and outputs, the attacker coerces the agent into transmitting raw mass mentions. This mechanism triggers widespread notification exhaustion and disrupts workspace operations.

The vulnerability consists of two distinct implementation flaws across the platform adapters. The Slack adapter flaw originates from an overly permissive regular expression used during message formatting. The adapter attempts to protect valid Slack entities from subsequent formatting logic using a dedicated substitution function.

The regular expression re.sub(r'(<(?:[@#!]|(?:https?|mailto|tel):)[^>\n]+>)', ...) successfully matches valid user mentions and URLs. However, it also matches mass-ping tags such as <!everyone> and <!channel>. Because the matching logic protects these strings from sanitization, they are transmitted unaltered to the Slack API. The API processes the message with mrkdwn=True, executing the mass ping.

The Mattermost adapter vulnerability involves an omitted security configuration in the API payload construction. The adapter constructs a JSON payload for the /posts endpoint but fails to include the necessary properties to restrict bot mentions. The adapter code directly assigns the LLM output to the message field without establishing platform-specific guardrails.

Mattermost requires automated integrations to explicitly set the disable_mentions flag within the props object to suppress automated notifications. The hermes-agent implementation omits this property entirely. Consequently, the Mattermost server processes the LLM-generated @all string as a legitimate human-initiated workspace ping.

The Slack adapter formatting logic requires structural changes to prevent mass-mention preservation. The current implementation uses a capture group that inadvertently matches the exclamation mark used in Slack broadcast mentions.

# Vulnerable Slack Regex in gateway/platforms/slack.py
re.sub(r'(<(?:[@#!]|(?:https?|mailto|tel):)[^>\n]+>)', ...)

The regex must be restricted to prevent matching broadcast directives. Alternatively, developers must implement a secondary sanitization pass that specifically neutralizes broadcast keywords after the initial parsing stage.

The Mattermost implementation requires a straightforward configuration patch. The vulnerable code constructs the outgoing message without the required restriction properties.

# Vulnerable Mattermost Payload in gateway/platforms/mattermost.py
payload = {
    "channel_id": channel_id,
    "message": content
}

The fix requires appending the props dictionary with disable_mentions set to True. This instructs the Mattermost server to render the @all string as plain text rather than an active notification.

# Mitigated Mattermost Payload
payload = {
    "channel_id": channel_id,
    "message": content,
    "props": {"disable_mentions": True}
}

The fundamental data flow and bypass mechanics are illustrated below.

Exploitation relies on prompt injection methodologies. The attacker must control a portion of the input that the underlying LLM processes. This input is typically delivered via public channels, direct messages, or external data sources that the agent periodically ingests.

The attacker supplies a payload instructing the LLM to output specific strings. For Slack targets, the payload dictates the inclusion of the string literal <!everyone>. For Mattermost targets, the payload dictates the inclusion of the string literal @all.

A public Proof-of-Concept demonstrates the viability of this attack vector. The researcher verification script confirmed that the hermes-agent processes and transmits these strings without modification or filtering. The execution results in direct interaction with the chat platform's notification router.

The PoC execution log confirms the target platforms successfully parse and render the broadcast tags. The Mattermost server parsed @all due to the missing disable_mentions property. The Slack server executed <!everyone> due to the regular expression bypass protecting the raw tag.

The direct consequence of this vulnerability is a targeted notification exhaustion attack against enterprise environments. A single successful exploit triggers asynchronous alerts for every user within the workspace or channel. Repeated exploitation renders organizational communication platforms unusable.

The attack requires no authentication to the target chat platform. The attacker leverages the pre-existing API permissions granted to the hermes-agent integration. This access effectively bypasses internal network boundaries and platform access controls established by the organization.

The vulnerability carries a CVSS 4.0 score of 6.9, categorizing it as a medium severity flaw. The exploit requires low complexity and no user interaction, but the direct impact is limited to availability and systemic notification integrity.

As of the disclosure date, there is no evidence of active exploitation in the wild. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

NousResearch has not released an official patch for version 2026.4.16. Organizations operating hermes-agent must implement manual source code workarounds to mitigate the vulnerability. Modifying the adapter source code is the primary immediate remediation strategy.

Administrators must update gateway/platforms/mattermost.py to include the disable_mentions property in the /posts JSON payload. This single configuration change completely eliminates the mass mention vector for Mattermost deployments.

Slack deployments require either regex modification or secondary sanitization within gateway/platforms/slack.py. Implementing a dedicated string replacement function to neutralize <!everyone> and <!channel> prior to API transmission provides reliable mitigation.

Organizations should also deploy LLM guardrails independently of the platform adapters. Output-filtering middleware that intercepts and inspects generated text adds defense-in-depth and prevents similar injection bypasses in future integration implementations.