CVE-2026-33654
Indirect Prompt Injection in Nanobot Email Module Enables Remote Code Execution
Publication date: 2026-03-27
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nanobot | nanobot | to 0.1.4 (exc) |
| nanobot | nanobot | 0.1.4 |
| nanobot | nanobot | 0.1.4 |
| nanobot | nanobot | 0.1.4 |
| nanobot | nanobot | 0.1.4 |
| nanobot | nanobot | 0.1.4 |
| nanobot | nanobot | 0.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade nanobot to version 0.1.6 or later, where this vulnerability is patched.
- Do not rely solely on the 'From' header for sender authentication; implement verification of the 'Authentication-Results' header to ensure SPF and DKIM checks pass before processing emails.
- Disable email polling by default or provide explicit warnings about the risks of enabling IMAP polling.
- Isolate email context by tagging emails explicitly and restrict tool execution within asynchronous email processing to prevent direct injection into the main AgentLoop.
Can you explain this vulnerability to me?
The vulnerability in nanobot (prior to version 0.1.6) exists in its email channel processing module. It is an indirect prompt injection vulnerability that allows a remote, unauthenticated attacker to send specially crafted emails to the bot's monitored email address. The bot automatically polls and processes these emails as trusted input without verifying the sender's authenticity.
Because the system relies solely on the email's 'From' header for sender identification, which can be easily spoofed, attackers can bypass authentication and inject malicious prompts. These prompts cause the bot to execute arbitrary instructions on its large language model (LLM) and system tools without any interaction from the bot owner, resulting in a stealthy, zero-click attack.
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of the nanobot's decision-making process and the host system it runs on.
- Remote code execution by unauthorized attackers.
- Unauthorized access to sensitive data, such as configuration files containing API keys.
- Stealthy attacks that require no user interaction (zero-click), making detection difficult.
- Potential persistent reverse shells granting full remote control over the host system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring the nanobot email channel processing behavior and inspecting email traffic to the bot's monitored email address.
Since the vulnerability exploits spoofed 'From' headers in emails fetched via IMAP, you can detect suspicious activity by checking for emails with spoofed sender addresses or unusual prompt content targeting the bot.
Suggested commands and approaches include:
- Monitor IMAP logs or use tools like tcpdump or Wireshark to capture and analyze email traffic to the bot's email address.
- Use IMAP commands to list and inspect unread emails, for example with openssl or imaplib in Python.
- Example command to list unread emails via IMAP using openssl: `openssl s_client -connect imap.example.com:993` then issue IMAP commands like `a1 LOGIN user password` and `a2 SEARCH UNSEEN`.
- Parse suspicious emails to check the 'From' header and email body for injected prompts that could trigger the LLM to execute commands.
- Check nanobot logs for unexpected execution of system commands or unusual AgentLoop activity triggered by email inputs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands and access sensitive data by exploiting the email channel processing module in nanobot. This can lead to unauthorized access and exfiltration of sensitive information, which may violate data protection requirements under regulations such as GDPR and HIPAA.
Specifically, the ability to read configuration files containing API keys and execute system commands without user interaction poses significant risks to confidentiality and integrity of personal and sensitive data.
Therefore, deployments of nanobot with the vulnerable email channel enabled could fail to meet compliance obligations related to data security, access control, and breach prevention mandated by common standards and regulations.