Description
nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.
Published: 2026-03-27
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An indirect prompt injection flaw in nanobot's email channel allows a remote, unauthenticated attacker to deliver malicious content through a monitored email address, where the bot treats the email body as fully trusted input, injects it into the large language model for instruction generation, and can trigger system tools; the attacker can thus execute arbitrary LLM instructions and effectively run code on the host, leading to full system compromise.

Affected Systems

The vulnerability affects the nanobot personal AI assistant developed by HKUDS in any release prior to version 0.1.6, including 0.1.4 and its post versions (post1 through post5), as well as any earlier releases that contain the same email channel code; the software runs in Python environments.

Risk and Exploitability

The CVSS score of 8.9 classifies this vulnerability as high severity, and the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild; nevertheless, the attack requires only a single, zero‑click email with no user interaction, and since the flaw is not listed in the CISA KEV catalog there is no evidence of widespread exploitation yet, but administrators should treat it as a high‑risk issue that can be triggered remotely via email.

Generated by OpenCVE AI on April 8, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nanobot to version 0.1.6 or later.
  • Disable or temporarily block the email channel until the patch is applied if upgrading immediately is not possible.
  • Review and monitor email logs for anomalous activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 8, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Nanobot
Nanobot nanobot
CPEs cpe:2.3:a:nanobot:nanobot:*:*:*:*:*:python:*:*
cpe:2.3:a:nanobot:nanobot:0.1.4:-:*:*:*:python:*:*
cpe:2.3:a:nanobot:nanobot:0.1.4:post1:*:*:*:python:*:*
cpe:2.3:a:nanobot:nanobot:0.1.4:post2:*:*:*:python:*:*
cpe:2.3:a:nanobot:nanobot:0.1.4:post3:*:*:*:python:*:*
cpe:2.3:a:nanobot:nanobot:0.1.4:post4:*:*:*:python:*:*
cpe:2.3:a:nanobot:nanobot:0.1.4:post5:*:*:*:python:*:*
Vendors & Products Nanobot
Nanobot nanobot
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 31 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds nanobot
Vendors & Products Hkuds
Hkuds nanobot

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.
Title Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling
Weaknesses CWE-1336
CWE-290
CWE-94
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Hkuds Nanobot
Nanobot Nanobot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:59:48.689Z

Reserved: 2026-03-23T15:23:42.218Z

Link: CVE-2026-33654

cve-icon Vulnrichment

Updated: 2026-03-30T18:59:36.073Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:32.363

Modified: 2026-04-08T15:19:02.943

Link: CVE-2026-33654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:06Z

Weaknesses