Skip to main content

Nanobot EUVDEUVD-2026-33757

| CVE-2026-49138 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-01 VulnCheck GHSA-434r-7c99-hwf3
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 01, 2026 - 21:22 NVD
5.0 (MEDIUM) 5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 01, 2026 - 20:53 vuln.today
Analysis Generated
Jun 01, 2026 - 20:53 vuln.today

DescriptionCVE.org

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the automatic HTTP redirect following behavior in the httpx library to bypass initial URL validation and cause the runtime to send outbound requests to internal hosts before final resolved URL validation is applied.

AnalysisAI

Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe and reach internal or private network hosts by exploiting the httpx library's automatic HTTP redirect-following behavior. The attack bypasses initial URL validation by supplying a legitimate-looking external URL that responds with a 3xx redirect to a loopback or RFC-1918 address - the outbound request to the internal host is dispatched before any post-redirect validation is applied. No public exploit code exists and no CISA KEV listing is present, but the Changed Scope (S:C) in the CVSS vector indicates that successful exploitation can affect network components beyond Nanobot itself, such as internal APIs or metadata services.

Technical ContextAI

Nanobot (CPE: cpe:2.3:a:hkuds:nanobot:*:*:*:*:*:*:*:*) is an AI agent runtime developed by HKUDS that exposes a web_fetch tool enabling the agent to fetch arbitrary URLs on behalf of users. The underlying HTTP client is the Python httpx library, which follows 3xx Location redirects automatically by default. CWE-918 (Server-Side Request Forgery) describes the root cause: the application validates the user-supplied URL before issuing the request but does not re-validate or block the final destination after redirect resolution. This creates a TOCTOU-style gap - the initial URL appears safe (pointing to an attacker-controlled external host), but the 3xx redirect steers httpx to a loopback (127.0.0.1/::1) or private-range address (10.x, 172.16-31.x, 192.168.x) that would normally be rejected. Because the redirect is followed before final URL validation is applied, the request reaches the internal host and any response may be observable by the attacker through the tool's output.

RemediationAI

The primary fix is to upgrade Nanobot to v0.2.1 or later; the patch is available via the GitHub release at https://github.com/HKUDS/nanobot/releases/tag/v0.2.1 and was introduced in commit 545294c62c0947da40eb5b65288aaf02b5fdf632 (PR #3928). If an immediate upgrade is not possible, compensating controls should target the redirect-following behavior: configure the httpx client (or any HTTP client wrapping web_fetch) to disable automatic redirect following, then explicitly validate the Location header URL against an allowlist of permitted external domains before issuing a follow-up request - this eliminates the validation gap without patching. Alternatively, deploy Nanobot behind a network egress filter or HTTP proxy that blocks outbound connections to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8, ::1), and cloud metadata service addresses (169.254.169.254) - note this adds operational overhead and may break legitimate internal integrations. Restricting web_fetch tool access to only highly-trusted user roles is a further risk-reduction measure while the patch is being deployed.

Share

EUVD-2026-33757 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy