Critical severity10.0NVD Advisory· Published Feb 16, 2026· Updated Apr 15, 2026

CVE-2026-2577

Description

The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.

Affected products

Hkuds/Nanobotreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7nvd
www.tenable.com/security/research/tra-2026-09nvd

News mentions

No linked articles in our index yet.

cvss	0.650
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000