[Bug]: Gateway auth bypass — unauthorized user messages processed despite "Unauthorized" log

[muazzissnajmi]

Bug Description

When TELEGRAM_ALLOWED_USERS is set, unauthorized Telegram users trigger an "Unauthorized user" warning in logs but their messages are still processed by the agent. The auth check logs the violation but does not actually block message processing.

Steps to Reproduce

1. Set TELEGRAM_ALLOWED_USERS to a specific user ID
2. Have a different Telegram user DM the bot
3. Gateway logs "Unauthorized user" warning
4. Message is still processed and agent responds

Expected Behavior

Unauthorized messages should be dropped immediately after the auth check. No agent processing, no response sent back.

Actual Behavior

Unauthorized user's messages are processed by the agent and receive full responses. The agent executes tool calls and returns results to the unauthorized user. The "Unauthorized user" log entry is the only indication of the violation — no blocking occurs.

Affected Component

Gateway (Telegram/Discord/Slack/WhatsApp)

Messaging Platform (if gateway-related)

Telegram

Debug Report

— logs contain sensitive credentials from the security incident.

Operating System

Ubuntu 24.04

Python Version

Python: 3.11.15

Hermes Version

Hermes Agent v0.13.0 (2026.5.7)

Additional Logs / Traceback (optional)

Root Cause Analysis (optional)

No response

Proposed Fix (optional)

No response

Are you willing to submit a PR for this?

• I'd like to fix this myself and submit a PR

[ygd58]

Submitted a fix in #23795.

Root cause: _should_process_message() returned True unconditionally for DMs, bypassing TELEGRAM_ALLOWED_USERS. The allowlist was only enforced for inline-button callbacks.

Fix: add _is_callback_user_authorized() check at the top of _should_process_message() so all inbound message types (text, command, media, location) are gated by the allowlist before any processing occurs.

[muazzissnajmi]

Additional context from the incident:

Timeline detail:

Before the auth bypass occurred, there were 4 Telegram polling conflicts logged ("terminated by other getUpdates request; make sure that only one bot instance is running") within a ~5 minute window. This was followed by a gateway restart at 16:15:33. The very first polling batch after reconnect processed the attacker's message without any auth check — no "Unauthorized" warning, straight to inbound message.

Additional bugs observed during this incident:

1. Auto-resume ignores auth — After I fixed TELEGRAM_ALLOWED_USERS and restarted gateway a second time, the attacker's session was auto-resumed ("Scheduled auto-resume for 1 restart-interrupted session(s)") and the agent sent another 693-char response to the attacker without re-validating whether the user was still authorized.

2. Auth state inversion — At 16:30, my own messages (the actual owner in ALLOWED_USERS) were rejected as "Unauthorized user" while the attacker continued to be served. This suggests the auth state got corrupted, not just bypassed.

3. Self-approval — The attacker was able to click approval buttons in their own DM chat (choice=always), granting themselves blanket tool access. Manual approval mode provides no protection when buttons are sent to the requester instead of the bot owner.

Relevant logs (sanitized):


Auth working correctly before restart:
16:04-16:15  6x "Unauthorized user: <attacker>" — all blocked ✓

Polling conflicts:
16:05:15  Telegram polling conflict (1/3) — terminated by other getUpdates request
16:06:22  Telegram polling conflict (1/3)
16:09:44  Telegram polling conflict (1/3)
16:10:02  Telegram polling conflict (1/3)

Gateway restart:
16:15:33  Stopping gateway for restart...
16:15:44  Starting Hermes Gateway...
16:15:45  Connected to Telegram (polling mode)

Auth bypass — same attacker, no warning:
16:16:01  inbound message: user=<attacker> msg='Hey'
16:16:10  response ready: chat=<attacker> time=8.3s

Owner blocked (auth inversion):
16:30:03  Unauthorized user: <owner_id> (owner) on telegram

After fix + restart, auto-resume still serves attacker:
16:36:38  Scheduled auto-resume for 1 restart-interrupted session(s)
16:36:38  inbound message: user=<attacker> msg=''
16:39:08  response ready: chat=<attacker> time=149.7s api_calls=12

Auth finally works again:
16:40:48  Unauthorized user: <attacker> — blocked ✓


The PR addresses the root cause, but the auto-resume and self-approval issues may need separate fixes.

[ygd58]

Submitted #23800 for the auto-resume auth bypass (issue 1 from your additional context). Sessions whose owner is no longer in TELEGRAM_ALLOWED_USERS are now skipped before the synthetic resume event is dispatched.

Issues 2 (auth state inversion) and 3 (self-approval) need deeper investigation — will look into them separately.

[ygd58]

All three issues from your additional context are now addressed:

1. Auto-resume auth bypass → fix(gateway): validate user authorization before auto-resume #23800: sessions whose owner is no longer in TELEGRAM_ALLOWED_USERS are skipped on gateway restart
2. Auth state inversion → fix(gateway): pairing store cannot bypass platform allowlist #23805: pairing store can no longer bypass the allowlist — a user paired via Always is re-validated against TELEGRAM_ALLOWED_USERS; if removed, the pairing is revoked
3. Self-approval → mitigated by fix(telegram): enforce TELEGRAM_ALLOWED_USERS allowlist on inbound messages #23795: once inbound messages are blocked, the attacker cannot receive approval buttons in the first place