CVE-2026-2577

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-2577

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2577.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-2577

Published

2026-02-16T10:16:08.827Z

Modified

2026-02-20T01:35:34.091865Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.

References

Affected packages

Git / github.com/hkuds/nanobot

Affected ranges

Type: GIT
Repo: https://github.com/hkuds/nanobot
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

202f0a3144dfa454f9de862163251a45e8f1e2ac

Affected versions

v0.*

v0.1.3.post4

v0.1.3.post5

v0.1.3.post6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2577.json"