Nanobot CVE-2026-2577
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.
AnalysisAI
Nanobot WhatsApp bridge binds its WebSocket server to all interfaces (0.0.0.0) without authentication (CVSS 10.0), exposing the WhatsApp bridge to remote access.
Technical ContextAI
The WhatsApp bridge in Nanobot binds to 0.0.0.0 with CWE-306 missing authentication, allowing any network user to interact with the WhatsApp bridge.
Affected ProductsAI
Nanobot WhatsApp bridge
RemediationAI
Bind to localhost only. Implement WebSocket authentication.
Share
External POC / Exploit Code
Leaving vuln.today