Skip to main content

Nanobot EUVDEUVD-2026-16777

| CVE-2026-33654 HIGH
Code Injection (CWE-94)
2026-03-27 security-advisories@github.com
8.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.1.4.post6
EUVD ID Assigned
Mar 27, 2026 - 20:22 euvd
EUVD-2026-16777
Analysis Generated
Mar 27, 2026 - 20:22 vuln.today
CVE Published
Mar 27, 2026 - 20:16 nvd
HIGH 8.9

DescriptionGitHub Advisory

nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (nanobot/channels/email.py), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.

AnalysisAI

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

Technical ContextAI

This vulnerability affects the email channel processing implementation in nanobot's channels/email.py module. The root cause is classified as CWE-94 (Improper Control of Generation of Code), specifically manifesting as an indirect prompt injection flaw. The bot's email polling mechanism treats incoming email content as trusted input without proper sanitization or context isolation. When processing emails, malicious prompts embedded in email bodies are interpreted as legitimate LLM instructions, allowing attackers to manipulate the AI assistant's behavior and invoke system-level tools. This architectural weakness stems from insufficient separation between user-controlled data channels and the LLM's instruction processing pipeline, a common vulnerability pattern in AI agent frameworks that integrate multiple input sources without proper security boundaries.

RemediationAI

Immediately upgrade to nanobot version 0.1.6 or later, which contains patches addressing the indirect prompt injection vulnerability in the email channel processing module. Organizations unable to upgrade immediately should disable email channel functionality until patching is complete, effectively removing the attack surface. Review logs for suspicious email-triggered LLM activities or unexpected system tool invocations that may indicate exploitation attempts. Implement additional email filtering rules to quarantine messages from untrusted sources before they reach the nanobot processing pipeline. After patching, conduct security testing to verify the fix effectiveness and ensure proper input validation is enforced. Refer to the GitHub security advisory at https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3 for complete remediation guidance and technical implementation details from the vendor.

Share

EUVD-2026-16777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy