CVE-2026-2577

{"id": "CVE-2026-2577", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.9}]}, "published": "2026-02-16T10:16:08.827", "references": [{"url": "https://github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7", "source": "[email protected]"}, {"url": "https://www.tenable.com/security/research/tra-2026-09", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes."}, {"lang": "es", "value": "El componente de puente de WhatsApp en Nanobot enlaza el servidor WebSocket a todas las interfaces de red (0.0.0.0) en el puerto 3001 por defecto y no requiere autenticaci\u00f3n para las conexiones entrantes. Un atacante remoto no autenticado con acceso de red al puente puede conectarse al servidor WebSocket para secuestrar la sesi\u00f3n de WhatsApp. Esto permite al atacante enviar mensajes en nombre del usuario, interceptar todos los mensajes y medios entrantes en tiempo real, y capturar c\u00f3digos QR de autenticaci\u00f3n."}], "lastModified": "2026-02-18T17:52:22.253", "sourceIdentifier": "[email protected]"}