CVE-2026-2577
Unauthenticated WebSocket Access in Nanobot WhatsApp Bridge Enables Session Hijacking
Publication date: 2026-02-16
Last updated on: 2026-02-16
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nanobot | nanobot | 0.1.3.post7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-2577 affects the WhatsApp bridge component of Nanobot. The WebSocket server is bound to all network interfaces (0.0.0.0) on port 3001 by default and does not require any authentication for incoming connections.
This means that an unauthenticated remote attacker who has network access to the bridge can connect to the WebSocket server and hijack the WhatsApp session linked to it.
Exploitation allows the attacker to send messages impersonating the user, intercept all incoming messages and media in real time, and capture authentication QR codes.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on confidentiality and integrity of your WhatsApp communications.
- An attacker can send messages on your behalf, potentially misleading your contacts or causing reputational damage.
- The attacker can intercept all incoming messages and media in real time, leading to loss of privacy and exposure of sensitive information.
- Authentication QR codes can be captured, allowing persistent unauthorized access to your WhatsApp session.
The vulnerability has a critical severity rating with a CVSS score of 10.0, indicating a high risk to confidentiality and integrity but no impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Nanobot WhatsApp bridge server is running and listening on port 3001 bound to all network interfaces (0.0.0.0) without authentication.
You can use network scanning or port checking commands to identify if the service is exposed.
- Use netstat or ss to check listening ports and interfaces: `netstat -tuln | grep 3001` or `ss -tuln | grep 3001`
- Use nmap to scan the target system for open port 3001: `nmap -p 3001 <target-ip>`
- Attempt to connect to the WebSocket server on port 3001 to see if authentication is required, for example using `websocat` or a WebSocket client.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Nanobot to version 0.1.3.post7 or later, which fixes the vulnerability by binding the WhatsApp bridge server to localhost and adding optional token authentication.
Until the upgrade can be applied, restrict network access to port 3001 to trusted hosts only, for example by using firewall rules to block external access.
Consider disabling or stopping the WhatsApp bridge service if it is not required.