CVE-2026-28800
Remote Code Execution via Discord Control in Natro Macro
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| natroteam | natro_macro | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28800 is a vulnerability in the Natro Macro, an open-source Bee Swarm Simulator macro written in AutoHotkey, affecting versions prior to 1.1.0. The issue arises when Discord Remote Control (RC) is set up in a non-private Discord channel. Any user with permission to send messages in that channel can exploit this vulnerability to execute commands on the host computer.
This includes full control over keyboard and mouse inputs as well as unrestricted access to the file system. The root causes include improper authentication, failure to restrict pathname access, and allowing upload of dangerous file types, which enable path traversal attacks and unauthorized file operations.
The vulnerability requires network access, high privileges, and user interaction to exploit, and it was patched in version 1.1.0 by implementing userID/roleID whitelisting to restrict command execution to authorized users only.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing unauthorized users to take full control of your computer through Discord Remote Control commands. Specifically, attackers can control your keyboard and mouse inputs and gain full access to your files.
Such control can lead to data theft, unauthorized file modification or deletion, and potentially disrupt system availability. Because the vulnerability affects confidentiality, integrity, and availability, it poses a high risk to your system security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized remote control commands sent via Discord messages in a non-private channel where Discord Remote Control is enabled. Detection would focus on monitoring Discord channels for suspicious remote control commands or unexpected activity from users with message-sending permissions.
Since the vulnerability exploits Discord Remote Control commands, you can check for unusual or unauthorized commands being executed by monitoring Discord message logs in the relevant channels.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Natro Macro to version 1.1.0 or later, where the issue has been patched by implementing userID/roleID whitelisting for remote control commands.
As a workaround, keep the Discord command channel and server private and restrict message-sending permissions to prevent unauthorized users from controlling the macro or the host computer.