VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 1, 2026

CVE-2026-49140

CVE-2026-49140

Description

Nanobot versions prior to 0.2.1 are vulnerable to denial of service by authenticated users who can exhaust memory and bandwidth via crafted Matrix media events.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nanobot versions prior to 0.2.1 are vulnerable to denial of service by authenticated users who can exhaust memory and bandwidth via crafted Matrix media events.

Vulnerability

Nanobot versions prior to 0.2.1 contain a denial of service vulnerability within the Matrix channel's media download handler. This vulnerability allows authenticated room members to trigger excessive consumption of process memory and bandwidth by sending media events that have missing or invalid size metadata [4]. The affected code path is reachable when a room member sends a Matrix media event with malformed size information.

Exploitation

An attacker, who must be an authenticated member of a Matrix room processed by Nanobot, can exploit this vulnerability by sending multiple concurrent Matrix media events. These events must contain omitted or invalid declared size metadata. This triggers simultaneous large media downloads that materialize response bodies before the system can reject them, leading to resource exhaustion [2, 4].

Impact

Successful exploitation of this vulnerability can lead to denial of service by exhausting Nanobot's process memory and bandwidth. This results in service degradation for all users of the affected Nanobot instance. The attacker gains the ability to disrupt the service without needing elevated privileges beyond being a member of a room [2, 4].

Mitigation

Nanobot version 0.2.1 and later include fixes for this vulnerability. This version was released on 2026-06-01 [1]. The fix involves enforcing configured media limits before Matrix attachments are materialized, rejecting media with missing or invalid size metadata before download, streaming media with a hard byte cap, and using a semaphore to limit concurrent media downloads [2]. There are no other workarounds mentioned in the available references.

References
  1. Release v0.2.1 · HKUDS/nanobot
  2. [security] fix(matrix): bound inbound media downloads by Hinotoi-agent · Pull Request #4106 · HKUDS/nanobot
  3. Nanobot < 0.2.1 Denial of Service via Matrix Media Download Handler

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
1d4000560dff

fix(matrix): reject boolean media sizes

https://github.com/hkuds/nanobotXubin RenMay 30, 2026via nvd-ref
commitPR #4106
2 files changed · +29 1
  • nanobot/channels/matrix.py+1 1 modified
    @@ -749,7 +749,7 @@ def _is_encrypted_media_event(event: MatrixMediaEvent) -> bool:
     def _event_declared_size_bytes(self, event: MatrixMediaEvent) -> int | None:
         info = self._event_source_content(event).get("info")
         size = info.get("size") if isinstance(info, dict) else None
-        return size if isinstance(size, int) and size >= 0 else None
+        return size if type(size) is int and size >= 0 else None
 
     def _event_mime(self, event: MatrixMediaEvent) -> str | None:
         info = self._event_source_content(event).get("info")
  • tests/channels/test_matrix_channel.py+28 0 modified
    @@ -1828,6 +1828,34 @@ async def _download_should_not_run(*_args, **_kwargs):
     assert marker == "[attachment: payload.bin - too large]"
 
 
+@pytest.mark.asyncio
+async def test_fetch_media_rejects_bool_declared_size(monkeypatch, tmp_path) -> None:
+    channel = MatrixChannel(_make_config(max_media_bytes=8), MessageBus())
+    client = _FakeAsyncClient("https://matrix.org", "", "", None)
+    channel.client = client
+    monkeypatch.setattr("nanobot.channels.matrix.get_media_dir", lambda _name: tmp_path)
+
+    async def _download_should_not_run(*_args, **_kwargs):
+        raise AssertionError("bool size should be rejected before fetching bytes")
+
+    monkeypatch.setattr(channel, "_download_media_bytes", _download_should_not_run)
+    event = SimpleNamespace(
+        sender="@alice:matrix.org",
+        event_id="$event1",
+        body="payload.bin",
+        url="mxc://example.org/media",
+        source={"content": {"msgtype": "m.file", "info": {"size": True}}},
+    )
+
+    attachment, marker = await channel._fetch_media_attachment(
+        SimpleNamespace(room_id="!room:matrix.org"),
+        event,
+    )
+
+    assert attachment is None
+    assert marker == "[attachment: payload.bin - too large]"
+
+
 @pytest.mark.asyncio
 async def test_fetch_media_rejects_declared_oversized_before_download(monkeypatch, tmp_path) -> None:
     channel = MatrixChannel(_make_config(max_media_bytes=8), MessageBus())

Vulnerability mechanics

Root cause

"The Matrix channel's media download handler did not sufficiently validate media size metadata before initiating downloads, allowing for resource exhaustion."

Attack vector

An authenticated room member can send multiple concurrent Matrix media events with omitted or invalid declared sizes. This triggers simultaneous large media downloads that fully materialize response bodies before post-download rejection. The process consumes memory and bandwidth until service degradation occurs [ref_id=1]. The attack flow begins with a sender admitted by the bot's channel policy, who then sends large media with omitted or unknown content.info.size, bypassing pre-download size rejection [ref_id=1].

Affected code

The vulnerability resides in the Matrix channel's inbound media handling, specifically within nanobot/channels/matrix.py. The issue stems from the download helper accepting fully materialized response bodies before a post-download size check, and the lack of a concurrency cap around inbound media downloads [ref_id=1].

What the fix does

The patch hardens inbound media handling by enforcing configured media limits before attachments are materialized. It rejects Matrix media when the event does not provide trusted content.info.size metadata, rather than treating unknown sizes as safe. Additionally, media is streamed through aiohttp with a hard byte cap, aborting once max_media_bytes is exceeded, and a semaphore limits concurrent media downloads to prevent unbounded fan-out [ref_id=1].

Preconditions

  • authAttacker must be an authenticated room member with permission to send messages to a room processed by the bot.
  • configThe bot must be configured to process Matrix channels.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.