CVE-2026-35589

Source
https://cve.org/CVERecord?id=CVE-2026-35589
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35589.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35589
Aliases
  • GHSA-v5j3-4q66-58cf
Published
2026-04-14T22:47:32.837Z
Modified
2026-07-15T01:49:21.848950143Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
nanobot: Cross-Site WebSocket Hijacking in WhatsApp Bridge (CVE-2026-2577 Fix Update)
Details

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to 127.0.0.1 and added an optional BRIDGE_TOKEN parameter, but token authentication is disabled by default and the server does not validate the Origin header during the WebSocket handshake. Because browsers do not enforce the Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, any website visited by a user running the bridge can establish a WebSocket connection to ws://127.0.0.1:3001/ and gain full access to the bridge API. This allows an attacker to hijack the WhatsApp session, read incoming messages, steal authentication QR codes, and send messages on behalf of the user. This issue has bee fixed in version 0.1.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35589.json",
    "cwe_ids": [
        "CWE-1385"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/hkuds/nanobot

Affected ranges

Type
GIT
Repo
https://github.com/hkuds/nanobot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:nanobot:nanobot:*:*:*:*:*:python:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.5"
        }
    ]
}

Affected versions

v0.*
v0.1.3.post4
v0.1.3.post5
v0.1.3.post6
v0.1.4
v0.1.4.post1
v0.1.4.post2
v0.1.4.post3
v0.1.4.post4
v0.1.4.post6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35589.json"