Skip to main content

Nanobot CVE-2026-49139

| EUVDEUVD-2026-33759 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-01 VulnCheck GHSA-gv7x-pq3j-c5mj
7.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 01, 2026 - 22:56 vuln.today
Analysis Generated
Jun 01, 2026 - 22:56 vuln.today
CVSS changed
Jun 01, 2026 - 21:22 NVD
7.0 (HIGH)
CVE Published
Jun 01, 2026 - 19:50 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 19:50 nvd
HIGH 7.0

DescriptionCVE.org

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host.

AnalysisAI

Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft Bot Framework bearer tokens by poisoning the stored Teams conversation reference with an attacker-controlled serviceUrl. VulnCheck reported the issue and HKUDS shipped a fix in v0.2.1 (commit 232df45), but at time of analysis there is no public exploit identified and the CVE is not on CISA KEV. CVSS 4.0 of 7.0 reflects low vulnerable-system impact but High confidentiality/integrity impact on subsequent (downstream) systems - namely the Bot Framework tenant whose tokens are leaked.

Technical ContextAI

Nanobot is an open-source agent runtime (cpe:2.3:a:hkuds:nanobot) that integrates with chat platforms including Microsoft Teams via the Bot Framework. In the Bot Framework protocol, each inbound Activity carries a serviceUrl field that the bot is expected to call back to when sending replies, attaching an OAuth bearer token in the Authorization header. The vulnerable Teams channel handler trusts the serviceUrl from inbound activities and persists it in the conversation reference, so a subsequent reply transmits the bearer credential to whatever host the attacker named. This is a textbook CWE-918 SSRF where the SSRF primitive is weaponized for credential exfiltration rather than internal network probing, made possible by missing validation of serviceUrl against Microsoft's known channel endpoints.

RemediationAI

Upgrade to Nanobot v0.2.1 or later - vendor-released patch: v0.2.1 (https://github.com/HKUDS/nanobot/releases/tag/v0.2.1), with the underlying fix in commit 232df45. If immediate upgrade is not possible, disable the Microsoft Teams channel handler in Nanobot configuration so inbound Teams activities are not processed (side effect: Teams integration stops working until patched); alternatively, place the Teams webhook endpoint behind a reverse proxy that validates the serviceUrl in inbound JSON against Microsoft's published Bot Framework endpoint list (https://*.botframework.com, smba.trafficmanager.net, etc.) and rejects mismatches (side effect: brittle if Microsoft adds new endpoints). Rotate any Bot Framework app credentials that may have been used by an affected bot before patching, since leaked bearer tokens remain valid until the underlying app secret is rolled. Review egress logs from Nanobot hosts for outbound HTTPS to non-Microsoft destinations carrying Authorization headers.

Share

CVE-2026-49139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy