{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33654", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.218Z", "datePublished": "2026-03-27T19:43:49.193Z", "dateUpdated": "2026-03-30T18:59:48.689Z"}, "containers": {"cna": {"title": "Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3"}], "affected": [{"vendor": "HKUDS", "product": "nanobot", "versions": [{"version": "< 0.1.4.post6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:43:49.193Z"}, "descriptions": [{"lang": "en", "value": "nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue."}], "source": {"advisory": "GHSA-4gmr-2vc8-7qh3", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:59:44.585899Z", "id": "CVE-2026-33654", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:59:48.689Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33654", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T18:59:44.585899Z"}}}], "references": [{"url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:59:36.073Z"}}], "cna": {"title": "Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling", "source": {"advisory": "GHSA-4gmr-2vc8-7qh3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HKUDS", "product": "nanobot", "versions": [{"status": "affected", "version": "< 0.1.4.post6"}]}], "references": [{"url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3", "name": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:43:49.193Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33654", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:59:48.689Z", "dateReserved": "2026-03-23T15:23:42.218Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T19:43:49.193Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nanobot:nanobot:*:*:*:*:*:python:*:*", "matchCriteriaId": "4613D3BB-4C2B-4F02-9807-E42CFCB21525", "versionEndExcluding": "0.1.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanobot:nanobot:0.1.4:-:*:*:*:python:*:*", "matchCriteriaId": "E13C548B-00C2-4BC2-8B9D-71E446D00E22", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanobot:nanobot:0.1.4:post1:*:*:*:python:*:*", "matchCriteriaId": "F3EF840D-CFCC-4BED-B4A4-FEA25E642B79", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanobot:nanobot:0.1.4:post2:*:*:*:python:*:*", "matchCriteriaId": "96F3AEC6-D3E3-4A2B-A79E-EA44766FAAD9", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanobot:nanobot:0.1.4:post3:*:*:*:python:*:*", "matchCriteriaId": "CE228286-097D-4F2E-A8D7-DBF71197E50D", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanobot:nanobot:0.1.4:post4:*:*:*:python:*:*", "matchCriteriaId": "69C2B418-35C6-4F72-8355-018575BA8667", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanobot:nanobot:0.1.4:post5:*:*:*:python:*:*", "matchCriteriaId": "DC08A055-67E4-4752-A373-CCB966A863BD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue."}], "id": "CVE-2026-33654", "lastModified": "2026-04-08T15:19:02.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:32.363", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.1.4.post6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nanobot", "source": "cna", "vendor": "HKUDS"}, "product": "nanobot", "vendor": "hkuds"}], "analysis": {"en": {"generated_at": "2026-04-08T16:28:57.588790+00:00", "value": {"mitigation_remediation": ["Upgrade nanobot to version 0.1.6 or later.", "Disable or temporarily block the email channel until the patch is applied if upgrading immediately is not possible.", "Review and monitor email logs for anomalous activity to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nanobot personal AI assistant developed by HKUDS in any release prior to version 0.1.6, including 0.1.4 and its post versions (post1 through post5), as well as any earlier releases that contain the same email channel code; the software runs in Python environments.", "description_and_impact": "An indirect prompt injection flaw in nanobot's email channel allows a remote, unauthenticated attacker to deliver malicious content through a monitored email address, where the bot treats the email body as fully trusted input, injects it into the large language model for instruction generation, and can trigger system tools; the attacker can thus execute arbitrary LLM instructions and effectively run code on the host, leading to full system compromise.", "risk_and_exploitability": "The CVSS score of 8.9 classifies this vulnerability as high severity, and the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation in the wild; nevertheless, the attack requires only a single, zero\u2011click email with no user interaction, and since the flaw is not listed in the CISA KEV catalog there is no evidence of widespread exploitation yet, but administrators should treat it as a high\u2011risk issue that can be triggered remotely via email."}}}}, "created": "2026-03-29T20:30:23.564753+00:00", "updated": "2026-04-08T20:01:06.313190+00:00", "vendors": ["hkuds", "hkuds$PRODUCT$nanobot"]}