Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (nanobot/channels/email.py), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.
AnalysisAI
Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.
Technical ContextAI
This vulnerability affects the email channel processing implementation in nanobot's channels/email.py module. The root cause is classified as CWE-94 (Improper Control of Generation of Code), specifically manifesting as an indirect prompt injection flaw. The bot's email polling mechanism treats incoming email content as trusted input without proper sanitization or context isolation. When processing emails, malicious prompts embedded in email bodies are interpreted as legitimate LLM instructions, allowing attackers to manipulate the AI assistant's behavior and invoke system-level tools. This architectural weakness stems from insufficient separation between user-controlled data channels and the LLM's instruction processing pipeline, a common vulnerability pattern in AI agent frameworks that integrate multiple input sources without proper security boundaries.
RemediationAI
Immediately upgrade to nanobot version 0.1.6 or later, which contains patches addressing the indirect prompt injection vulnerability in the email channel processing module. Organizations unable to upgrade immediately should disable email channel functionality until patching is complete, effectively removing the attack surface. Review logs for suspicious email-triggered LLM activities or unexpected system tool invocations that may indicate exploitation attempts. Implement additional email filtering rules to quarantine messages from untrusted sources before they reach the nanobot processing pipeline. After patching, conduct security testing to verify the fix effectiveness and ensure proper input validation is enforced. Refer to the GitHub security advisory at https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3 for complete remediation guidance and technical implementation details from the vendor.
Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated a
Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establ
Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft
Nanobot's Matrix channel media download handler exhausts process memory and bandwidth when authenticated room members su
Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe a
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16777