CVE-2026-49139
Description
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host.
Affected products
2Patches
1232df45126bcfix(msteams): trust official Teams service hosts
2 files changed · +15 −0
nanobot/channels/msteams.py+3 −0 modified@@ -55,6 +55,9 @@ MSTEAMS_WEBCHAT_HOST = "webchat.botframework.com" MSTEAMS_DEFAULT_TRUSTED_SERVICE_URL_HOSTS = [ "smba.trafficmanager.net", + "smba.infra.gcc.teams.microsoft.com", + "smba.infra.gov.teams.microsoft.us", + "smba.infra.dod.teams.microsoft.us", "*.botframework.com", ] MSTEAMS_REF_META_FILENAME = "msteams_conversations_meta.json"
tests/test_msteams.py+12 −0 modified@@ -186,6 +186,18 @@ def test_init_prunes_stale_and_unsupported_conversation_refs(make_channel, tmp_p assert set(persisted.keys()) == {"conv-valid", "conv-missing-ts"} +def test_default_trusted_service_urls_cover_official_teams_clouds(make_channel): + ch = make_channel() + + assert ch._is_trusted_service_url("https://smba.trafficmanager.net/amer/") + assert ch._is_trusted_service_url("https://smba.infra.gcc.teams.microsoft.com/amer/") + assert ch._is_trusted_service_url("https://smba.infra.gov.teams.microsoft.us/amer/") + assert ch._is_trusted_service_url("https://smba.infra.dod.teams.microsoft.us/amer/") + assert ch._is_trusted_service_url("https://westus-api.botframework.com/") + assert not ch._is_trusted_service_url("http://smba.trafficmanager.net/amer/") + assert not ch._is_trusted_service_url("https://smba.trafficmanager.net.evil.example/") + + def test_save_prunes_unsupported_conversation_refs(make_channel, tmp_path, monkeypatch): now = 1_800_000_000.0 monkeypatch.setattr(msteams_module.time, "time", lambda: now)
Vulnerability mechanics
Root cause
"The Microsoft Teams channel handler trusted arbitrary activity.serviceUrl values, allowing them to be used as outbound authorities for token-bearing requests."
Attack vector
An attacker can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook. This activity must contain an attacker-controlled `serviceUrl` value. If the Teams webhook authentication is disabled or bypassed, this forged activity can cause subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host [ref_id=1].
Affected code
The vulnerability lies within the Microsoft Teams channel handler, specifically in the `_handle_activity()` function for conversation reference admission and the `send()` function for outbound Bot Framework reply handling. The `nanobot/channels/msteams.py` file contains the affected code, including conversation reference pruning logic [ref_id=1].
What the fix does
The patch hardens the Microsoft Teams channel handler by ensuring that Nanobot does not trust arbitrary `activity.serviceUrl` values when storing conversation references or sending Bot Framework replies. It adds a trusted-host boundary for Teams/Bot Framework service URLs and refuses token-bearing replies to untrusted conversation references. This prevents the `serviceUrl` from being used as an unrestricted bearer-token egress target [ref_id=1].
Preconditions
- configMicrosoft Teams webhook authentication must be disabled, bypassed, or otherwise not enforced for a reachable webhook [ref_id=1].
- networkThe Teams webhook must be reachable by the attacker [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.