Skip to main content

Nanobot

6 CVEs product

Monthly

CVE-2026-48716 HIGH This Week

Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated attackers to write attacker-controlled content to arbitrary filesystem locations by sending a WhatsApp document message with a path-traversal sequence in its fileName field. Because both the destination path and the file content are attacker-controlled, exploitation yields a write-anywhere primitive that can be escalated to remote code execution (e.g., by overwriting authorized_keys or shell startup files). No public exploit identified at time of analysis; a fix is planned for version 0.1.5.post4.

Path Traversal Node.js Nanobot
NVD GitHub
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-49140 MEDIUM PATCH This Month

Nanobot's Matrix channel media download handler exhausts process memory and bandwidth when authenticated room members submit media events carrying missing or invalid declared size metadata. All versions of Nanobot prior to 0.2.1 are affected (CPE: cpe:2.3:a:hkuds:nanobot:*:*:*:*:*:*:*:*). An authenticated Matrix room member can send multiple concurrent malformed media events, causing the handler to fully materialize response bodies before performing post-download size validation, consuming process resources until service availability degrades. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch is available in v0.2.1.

Denial Of Service Nanobot
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-49139 HIGH PATCH This Week

Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft Bot Framework bearer tokens by poisoning the stored Teams conversation reference with an attacker-controlled serviceUrl. VulnCheck reported the issue and HKUDS shipped a fix in v0.2.1 (commit 232df45), but at time of analysis there is no public exploit identified and the CVE is not on CISA KEV. CVSS 4.0 of 7.0 reflects low vulnerable-system impact but High confidentiality/integrity impact on subsequent (downstream) systems - namely the Bot Framework tenant whose tokens are leaked.

Microsoft SSRF Nanobot
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-49138 MEDIUM PATCH This Month

Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe and reach internal or private network hosts by exploiting the httpx library's automatic HTTP redirect-following behavior. The attack bypasses initial URL validation by supplying a legitimate-looking external URL that responds with a 3xx redirect to a loopback or RFC-1918 address - the outbound request to the internal host is dispatched before any post-redirect validation is applied. No public exploit code exists and no CISA KEV listing is present, but the Changed Scope (S:C) in the CVSS vector indicates that successful exploitation can affect network components beyond Nanobot itself, such as internal APIs or metadata services.

SSRF Nanobot
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35589 HIGH This Week

Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establish unauthorized WebSocket connections to the local bridge server (ws://127.0.0.1:3001/), enabling WhatsApp session hijacking, message interception, QR code theft, and unauthorized message transmission. This vulnerability stems from incomplete remediation of CVE-2026-2577, where the added BRIDGE_TOKEN authentication is disabled by default and the server fails to validate the Origin header during WebSocket handshakes. Attack complexity is high (AC:H) but requires no authentication (PR:N), only user interaction (UI:R) such as visiting a malicious website while the bridge is running. No public exploit identified at time of analysis, though the technical details are fully disclosed in GitHub security advisory GHSA-v5j3-4q66-58cf.

Information Disclosure Nanobot
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-33654 HIGH PATCH This Week

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

RCE Code Injection Nanobot
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated attackers to write attacker-controlled content to arbitrary filesystem locations by sending a WhatsApp document message with a path-traversal sequence in its fileName field. Because both the destination path and the file content are attacker-controlled, exploitation yields a write-anywhere primitive that can be escalated to remote code execution (e.g., by overwriting authorized_keys or shell startup files). No public exploit identified at time of analysis; a fix is planned for version 0.1.5.post4.

Path Traversal Node.js Nanobot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Nanobot's Matrix channel media download handler exhausts process memory and bandwidth when authenticated room members submit media events carrying missing or invalid declared size metadata. All versions of Nanobot prior to 0.2.1 are affected (CPE: cpe:2.3:a:hkuds:nanobot:*:*:*:*:*:*:*:*). An authenticated Matrix room member can send multiple concurrent malformed media events, causing the handler to fully materialize response bodies before performing post-download size validation, consuming process resources until service availability degrades. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch is available in v0.2.1.

Denial Of Service Nanobot
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft Bot Framework bearer tokens by poisoning the stored Teams conversation reference with an attacker-controlled serviceUrl. VulnCheck reported the issue and HKUDS shipped a fix in v0.2.1 (commit 232df45), but at time of analysis there is no public exploit identified and the CVE is not on CISA KEV. CVSS 4.0 of 7.0 reflects low vulnerable-system impact but High confidentiality/integrity impact on subsequent (downstream) systems - namely the Bot Framework tenant whose tokens are leaked.

Microsoft SSRF Nanobot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe and reach internal or private network hosts by exploiting the httpx library's automatic HTTP redirect-following behavior. The attack bypasses initial URL validation by supplying a legitimate-looking external URL that responds with a 3xx redirect to a loopback or RFC-1918 address - the outbound request to the internal host is dispatched before any post-redirect validation is applied. No public exploit code exists and no CISA KEV listing is present, but the Changed Scope (S:C) in the CVSS vector indicates that successful exploitation can affect network components beyond Nanobot itself, such as internal APIs or metadata services.

SSRF Nanobot
NVD GitHub
EPSS 0% CVSS 8.0
HIGH This Week

Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establish unauthorized WebSocket connections to the local bridge server (ws://127.0.0.1:3001/), enabling WhatsApp session hijacking, message interception, QR code theft, and unauthorized message transmission. This vulnerability stems from incomplete remediation of CVE-2026-2577, where the added BRIDGE_TOKEN authentication is disabled by default and the server fails to validate the Origin header during WebSocket handshakes. Attack complexity is high (AC:H) but requires no authentication (PR:N), only user interaction (UI:R) such as visiting a malicious website while the bridge is running. No public exploit identified at time of analysis, though the technical details are fully disclosed in GitHub security advisory GHSA-v5j3-4q66-58cf.

Information Disclosure Nanobot
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

RCE Code Injection Nanobot
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy