CVE-2026-2577
published 2026-02-16CVE-2026-2577: The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require…
PriorityP277critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.65%
46.3th percentile
The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hkuds | nanobot | < 0.1.5 | 0.1.5 |
| nanobot | nanobot | < 0.1.5 | 0.1.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect cross-origin WebSocket connection attempts to ws://127.0.0.1:3001/ — the nanobot bridge server does not validate the Origin header during the WebSocket handshake, so any inbound WS upgrade request to this endpoint from a non-local origin is suspicious. ↗
- →Flag nanobot bridge instances running versions prior to 0.1.5 (CVE-2026-2577 fix shipped in 0.1.5); the original incomplete fix only changed binding from 0.0.0.0 to 127.0.0.1 and added an optional but disabled-by-default BRIDGE_TOKEN. ↗
- →Monitor for nanobot bridge processes listening on port 3001 on loopback without token authentication enabled (BRIDGE_TOKEN not set), as this is the exploitable default configuration. ↗
- →The vulnerable code path is in bridge/src/server.ts — source code review or file presence of this path indicates the nanobot bridge component is deployed. ↗
- ·Token authentication (BRIDGE_TOKEN) is optional and disabled by default — exploitation requires no credentials in the default configuration. ↗
- ·The fix in version 0.1.5 addresses CVE-2026-2577; the BleepingComputer source references a different version string (0.13.post7) for the same CVE — verify the exact fixed version against the official nanobot release notes before deploying detections based on version strings. ↗
- ·CVE-2026-35589 (NVD doc) is described as an incomplete remediation of CVE-2026-2577 — detections should target both the original and the bypass, and patching to 0.1.5 addresses the incomplete fix (CVE-2026-35589), not just the original CVE-2026-2577. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2026-02-16
Published