Home > Vulnerability Database > CVE-2026-2577

Mend.io Vulnerability Database

CVE-2026-2577

Good to know:

Date: February 16, 2026

The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.

Severity Score

10.0

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-2577

Url: https://github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7

Url: https://www.tenable.com/security/research/tra-2026-09

Url: https://www.cve.org/CVERecord?id=CVE-2026-2577

Url: https://www.mend.io/vulnerability-database/CVE-2026-2577

Severity Score

10.0

Weakness Type (CWE)

Missing Authentication for Critical Function

CWE-306

Top Fix

Upgrade Version

Upgrade to version nanobot-ai - 0.1.3.post7;https://github.com/HKUDS/nanobot.git - v0.1.3.post7

Learn More

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-2577

Good to know:

Date: February 16, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?