Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host.
AnalysisAI
Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft Bot Framework bearer tokens by poisoning the stored Teams conversation reference with an attacker-controlled serviceUrl. VulnCheck reported the issue and HKUDS shipped a fix in v0.2.1 (commit 232df45), but at time of analysis there is no public exploit identified and the CVE is not on CISA KEV. CVSS 4.0 of 7.0 reflects low vulnerable-system impact but High confidentiality/integrity impact on subsequent (downstream) systems - namely the Bot Framework tenant whose tokens are leaked.
Technical ContextAI
Nanobot is an open-source agent runtime (cpe:2.3:a:hkuds:nanobot) that integrates with chat platforms including Microsoft Teams via the Bot Framework. In the Bot Framework protocol, each inbound Activity carries a serviceUrl field that the bot is expected to call back to when sending replies, attaching an OAuth bearer token in the Authorization header. The vulnerable Teams channel handler trusts the serviceUrl from inbound activities and persists it in the conversation reference, so a subsequent reply transmits the bearer credential to whatever host the attacker named. This is a textbook CWE-918 SSRF where the SSRF primitive is weaponized for credential exfiltration rather than internal network probing, made possible by missing validation of serviceUrl against Microsoft's known channel endpoints.
RemediationAI
Upgrade to Nanobot v0.2.1 or later - vendor-released patch: v0.2.1 (https://github.com/HKUDS/nanobot/releases/tag/v0.2.1), with the underlying fix in commit 232df45. If immediate upgrade is not possible, disable the Microsoft Teams channel handler in Nanobot configuration so inbound Teams activities are not processed (side effect: Teams integration stops working until patched); alternatively, place the Teams webhook endpoint behind a reverse proxy that validates the serviceUrl in inbound JSON against Microsoft's published Bot Framework endpoint list (https://*.botframework.com, smba.trafficmanager.net, etc.) and rejects mismatches (side effect: brittle if Microsoft adds new endpoints). Rotate any Bot Framework app credentials that may have been used by an affected bot before patching, since leaked bearer tokens remain valid until the underlying app secret is rolled. Review egress logs from Nanobot hosts for outbound HTTPS to non-Microsoft destinations carrying Authorization headers.
Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to exe
Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated a
Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establ
Nanobot's Matrix channel media download handler exhausts process memory and bandwidth when authenticated room members su
Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe a
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33759
GHSA-gv7x-pq3j-c5mj