## Aegis Security Flaw: Default Telegram Config Allows Any Group Member to Control Sessions
A critical security vulnerability in the Aegis automation platform leaves its Telegram integration wide open. When the `AEGIS_TG_ALLOWED_USERS` environment variable is not explicitly configured—the default state—the system accepts inbound commands from any user in the linked Telegram group. This includes destructive commands like `kill`, `approve`, `reject`, and `escape`, as well as arbitrary message injection into any active session. The access control guard in the source code only activates if an allowlist is populated, meaning a standard installation has zero command authorization.

This flaw stems from a conditional check in `src/channels/telegram.ts`. The code block that verifies a user's ID against a configured allowlist only runs if `allowedUserIds.length > 0`. If the list is empty—which is the default when the variable is unset—the check is bypassed entirely, granting unconditional passage to any command. Consequently, in a shared Telegram supergroup, every member gains the power to terminate sessions, manipulate approval flows, and inject unauthorized messages.

The exposure creates a severe operational risk for teams using Aegis for automated workflows, potentially allowing insider threats or compromised accounts to disrupt critical processes. The vulnerability highlights a dangerous default-security posture, where a missing configuration silently disables all access controls. Administrators are urged to immediately set the `AEGIS_TG_ALLOWED_USERS` variable to restrict command execution to authorized personnel only.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, telegram, access-control, default-config
- **Credibility**: unverified
- **Published**: 2026-04-05 16:27:03
- **ID**: 50658
- **URL**: https://whisperx.ai/en/intel/50658