CVE-2026-49138
Deferred Deferred - Pending Action
Server-Side Request Forgery in Nanobot Web Fetch Tool

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: VulnCheck

Description
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the automatic HTTP redirect following behavior in the httpx library to bypass initial URL validation and cause the runtime to send outbound requests to internal hosts before final resolved URL validation is applied.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-20
NVD
CVE-2026-49138
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hkuds nanobot to 0.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this SSRF vulnerability involves monitoring for outbound HTTP requests that follow redirects to internal or private network addresses, which should normally be inaccessible from external sources.

One approach is to analyze network traffic for HTTP requests that include 3xx redirect responses leading to loopback or private IP addresses.

Commands to help detect such behavior could include using network packet capture tools like tcpdump or Wireshark to filter HTTP traffic and identify suspicious redirect chains.

  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -E 'HTTP/1.1 3[0-9]{2}|Location:'
  • Use curl with verbose output to manually test URLs for unsafe redirects, e.g., curl -v <URL> and observe Location headers pointing to private IP ranges.

Additionally, reviewing application logs for outbound HTTP requests that target internal IP addresses or loopback addresses can help identify exploitation attempts.

Executive Summary

This vulnerability exists in Nanobot versions prior to 0.2.1 within the web_fetch tool. It is a server-side request forgery (SSRF) issue that allows remote attackers to make the server send requests to internal or private network hosts. This happens because the tool follows HTTP redirects automatically using the httpx library, which can be manipulated via a 3xx Location header to redirect to loopback or private addresses. The initial URL validation is bypassed due to this redirect behavior, causing the runtime to send outbound requests before the final URL validation occurs.

Impact Analysis

This vulnerability can allow an attacker to access internal or private network resources that are normally not accessible from outside the network. By exploiting the SSRF, attackers can potentially reach sensitive internal services, which may lead to information disclosure or further attacks within the internal network.

Mitigation Strategies

The primary mitigation is to upgrade Nanobot to version 0.2.1 or later, where the vulnerability has been fixed by implementing strict validation of redirect targets before following them.

The fix replaces automatic redirect following with a manual process that blocks redirects to private, loopback, or internal network addresses before any request is sent.

If upgrading immediately is not possible, consider disabling or restricting the web_fetch tool's ability to follow redirects or limit its network access to prevent outbound requests to internal networks.

Monitoring and blocking suspicious outbound HTTP requests to private IP ranges at the network firewall or proxy level can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart