FKIE_CVE-2026-2577

Vulnerability from fkie_nvd - Published: 2026-02-16 10:16 - Updated: 2026-02-18 17:52
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Summary
The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.
References
vulnreport@tenable.comhttps://github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7
vulnreport@tenable.comhttps://www.tenable.com/security/research/tra-2026-09
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes."
    },
    {
      "lang": "es",
      "value": "El componente de puente de WhatsApp en Nanobot enlaza el servidor WebSocket a todas las interfaces de red (0.0.0.0) en el puerto 3001 por defecto y no requiere autenticaci\u00f3n para las conexiones entrantes. Un atacante remoto no autenticado con acceso de red al puente puede conectarse al servidor WebSocket para secuestrar la sesi\u00f3n de WhatsApp. Esto permite al atacante enviar mensajes en nombre del usuario, interceptar todos los mensajes y medios entrantes en tiempo real, y capturar c\u00f3digos QR de autenticaci\u00f3n."
    }
  ],
  "id": "CVE-2026-2577",
  "lastModified": "2026-02-18T17:52:22.253",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.8,
        "source": "vulnreport@tenable.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-16T10:16:08.827",
  "references": [
    {
      "source": "vulnreport@tenable.com",
      "url": "https://github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7"
    },
    {
      "source": "vulnreport@tenable.com",
      "url": "https://www.tenable.com/security/research/tra-2026-09"
    }
  ],
  "sourceIdentifier": "vulnreport@tenable.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "vulnreport@tenable.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.