Skip to main content

Nanobot CVE-2026-35589

HIGH
Missing Origin Validation in WebSockets (CWE-1385)
2026-04-14 security-advisories@github.com
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 01:12 vuln.today
Analysis Generated
Apr 14, 2026 - 23:22 vuln.today
CVE Published
Apr 14, 2026 - 23:16 nvd
HIGH 8.0

DescriptionGitHub Advisory

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to 127.0.0.1 and added an optional BRIDGE_TOKEN parameter, but token authentication is disabled by default and the server does not validate the Origin header during the WebSocket handshake. Because browsers do not enforce the Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, any website visited by a user running the bridge can establish a WebSocket connection to ws://127.0.0.1:3001/ and gain full access to the bridge API. This allows an attacker to hijack the WhatsApp session, read incoming messages, steal authentication QR codes, and send messages on behalf of the user. This issue has bee fixed in version 0.1.5.

AnalysisAI

Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establish unauthorized WebSocket connections to the local bridge server (ws://127.0.0.1:3001/), enabling WhatsApp session hijacking, message interception, QR code theft, and unauthorized message transmission. This vulnerability stems from incomplete remediation of CVE-2026-2577, where the added BRIDGE_TOKEN authentication is disabled by default and the server fails to validate the Origin header during WebSocket handshakes. Attack complexity is high (AC:H) but requires no authentication (PR:N), only user interaction (UI:R) such as visiting a malicious website while the bridge is running. No public exploit identified at time of analysis, though the technical details are fully disclosed in GitHub security advisory GHSA-v5j3-4q66-58cf.

Technical ContextAI

This vulnerability exploits a fundamental limitation in browser security: the Same-Origin Policy does not automatically protect WebSocket connections unless the server enforces origin validation. The nanobot bridge WebSocket server (bridge/src/server.ts) binds to localhost (127.0.0.1:3001) and implements optional token-based authentication via BRIDGE_TOKEN parameter, but this protection is disabled by default. CWE-1385 (Missing Origin Validation in WebSockets) describes this exact weakness where servers fail to check the Origin header sent by browsers during the WebSocket handshake. Because the vulnerability involves a local service accessible at 127.0.0.1, any web page loaded in the user's browser can use JavaScript to initiate WebSocket connections to this endpoint, bypassing traditional cross-origin protections. The bridge appears to provide an API interface for WhatsApp integration, making it a high-value target for session hijacking attacks. The issue represents an incomplete security fix, suggesting the original CVE-2026-2577 addressed network exposure (changing from 0.0.0.0 to 127.0.0.1) but failed to implement proper origin-based access controls.

RemediationAI

Upgrade immediately to nanobot version 0.1.5 or later, available at github.com/HKUDS/nanobot/releases/tag/v0.1.5, which implements proper Origin header validation in the WebSocket handshake to prevent cross-site hijacking attacks. For users unable to upgrade immediately, enable the BRIDGE_TOKEN authentication parameter as a temporary mitigation, though this is not a complete fix since the underlying Origin validation flaw persists. Review the GitHub security advisory at github.com/HKUDS/nanobot/security/advisories/GHSA-v5j3-4q66-58cf for additional context. Organizations should audit any instances where the bridge server runs continuously and consider restricting its use to only when actively needed to minimize the attack window. After upgrading, verify that the bridge server properly rejects WebSocket connections from unauthorized origins by testing with browser developer tools.

Share

CVE-2026-35589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy