Security: Telegram gateway can be open to all users by default / setup should fail closed

[uwuziqobay25-lab]

Bug description

A Telegram gateway instance was observed accepting DMs from any Telegram account that discovered the bot. The config had GATEWAY_ALLOW_ALL_USERS=true and no Telegram-specific allowlist, so another Telegram account could message the bot and receive normal agent responses.

For an agent with local tools (terminal, files, browser, GitHub, etc.), this is a dangerous default/UX footgun: anyone who finds the bot can potentially trigger agent work on the host unless command approvals happen to block the specific action.

Why this is security-sensitive

• Telegram bot usernames are discoverable/shareable.
• A random DM to the bot should not become an authorized agent session.
• The gateway agent may have access to local filesystem, terminal, credentials-mediated integrations, cron, GitHub, etc.
• approvals.mode=smart is not an authorization boundary; the user should be denied before the agent loop/tool loop.

Observed behavior

1. Telegram gateway was running.
2. .env contained GATEWAY_ALLOW_ALL_USERS=true.
3. A second Telegram account messaged the bot.
4. The bot answered normally and created a separate DM session.
5. After changing to GATEWAY_ALLOW_ALL_USERS=false and setting TELEGRAM_ALLOWED_USERS=<known ids>, a third account was correctly logged as Unauthorized user and denied.

Expected behavior

Default and setup-generated Telegram gateway config should be fail-closed:

• GATEWAY_ALLOW_ALL_USERS should not be enabled by default.
• hermes gateway setup should strongly prefer collecting/setting TELEGRAM_ALLOWED_USERS (or pairing) for DMs.
• If the user chooses open access, it should require an explicit scary confirmation such as “any Telegram user who finds this bot can talk to your local agent”.
• Startup should probably warn loudly when any *_ALLOW_ALL_USERS=true is set for a tool-enabled gateway.

Relevant code paths

From current checkout:

• gateway/run.py::_is_user_authorized():
  • checks platform allow-all flags first;
  • checks pairing/allowlists;
  • if no allowlists are configured, returns GATEWAY_ALLOW_ALL_USERS.
• gateway/platforms/telegram.py::_is_authorized_user() currently falls back to allowing everyone if TELEGRAM_ALLOWED_USERS is empty, though it attempts to call runner auth first.
• Startup warning in gateway/run.py only warns if no allowlist and no allow-all are configured; it does not warn when allow-all is configured.

Suggested fix

1. Make setup/config defaults fail-closed for Telegram DMs.
2. Ensure Telegram adapter fallback does not allow all users when runner auth is unavailable; fail closed unless explicit TELEGRAM_ALLOW_ALL_USERS=true/GATEWAY_ALLOW_ALL_USERS=true is set.
3. Add tests for:
   • no allowlist + no allow-all => unauthorized;
   • GATEWAY_ALLOW_ALL_USERS=true => authorized only with explicit opt-in;
   • TELEGRAM_ALLOWED_USERS only admits listed IDs;
   • Telegram adapter fallback path is not accidentally open.
4. Add CLI/gateway setup messaging that explains the risk.

Environment

• Hermes Agent v0.12.0 installed locally
• Telegram gateway in polling mode
• Linux/Ubuntu host

If open access is intended as a feature, I think the issue is still that the default/setup UX makes it too easy to expose a local tool-enabled agent to anyone who finds the Telegram bot.