Executive Summary

The vulnerability is a Cross-Site WebSocket Hijacking (CSWSH) issue in the nanobot personal AI assistant's bridge WebSocket server. It exists in versions prior to 0.1.5 due to incomplete remediation of a previous vulnerability (CVE-2026-2577). Although the server was changed to bind only to localhost (127.0.0.1) and an optional token authentication was added, token authentication is disabled by default and the server does not validate the Origin header during the WebSocket handshake.

Because browsers do not enforce the Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, any website visited by a user running the bridge can establish a WebSocket connection to ws://127.0.0.1:3001/ and gain full access to the bridge API.

This allows an attacker to hijack the WhatsApp session, read incoming messages, steal authentication QR codes, and send messages on behalf of the user.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to your WhatsApp session through the nanobot bridge API.

• Hijacking your WhatsApp session.
• Reading your incoming messages without your consent.
• Stealing authentication QR codes used for session authentication.
• Sending messages on your behalf, potentially impersonating you.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade nanobot to version 0.1.5 or later, where the issue has been fixed.

Ensure that the WebSocket server is not accessible from external networks by verifying it binds only to localhost (127.0.0.1).

Enable token authentication (BRIDGE_TOKEN) on the WebSocket server to prevent unauthorized access.

Verify that the server validates the Origin header during the WebSocket handshake to enforce same-origin policy.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to hijack WhatsApp sessions, read incoming messages, steal authentication QR codes, and send messages on behalf of the user by exploiting a Cross-Site WebSocket Hijacking issue in the nanobot bridge's WebSocket server.

Such unauthorized access to personal communications and authentication data could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Nanobot WhatsApp Bridge WebSocket server is running locally on ws://127.0.0.1:3001 without token authentication enabled and without Origin header validation.

To detect the vulnerable service, you can check for a listening WebSocket server on port 3001 bound to localhost (127.0.0.1). For example, use the following command to check if the port is open:

• netstat -an | grep 127.0.0.1:3001

You can also use curl or websocat to attempt a WebSocket connection and observe if the server accepts connections without token authentication or Origin validation.

• websocat ws://127.0.0.1:3001

If the connection is accepted without requiring a token or rejecting cross-origin requests, the system is vulnerable.

Additionally, reviewing the configuration or environment variables to see if BRIDGE_TOKEN is set or not can help determine if token authentication is enabled.

Useful 0 Not Useful 0