CVE-2026-2577

EPSS 0.65%
Veröffentlicht 16.02.2026 10:16:08
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle vulnreport@tenable.com
CVE-Watchlists
Login
Unerledigt
Login

Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge

The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerHKUDS

≫

Produkt nanobot

Default Statusunaffected

Version 0

Version < 0.1.3.Post7

Status affected

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.65%	0.46

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
vulnreport@tenable.com	10	3.9	5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7

https://www.tenable.com/security/research/tra-2026-09

https://nvd.nist.gov/vuln/detail/CVE-2026-2577

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-2577

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-2577

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-2577