Description
nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.
Published: 2026-03-27
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

nanobot, a personal AI assistant, contains an indirect prompt injection flaw in its email channel module that allows an unauthenticated attacker to send a single email with malicious prompts to the bot's monitored address; the bot automatically polls and treats the email content as highly trusted input, bypassing channel isolation and enabling the attacker to trigger arbitrary LLM instructions and subsequently execute system tools, effectively granting remote code execution.

Affected Systems

The vulnerability affects the nanobot product from HKUDS; all versions older than 0.1.6 are impacted while version 0.1.6 and later include the necessary patch.

Risk and Exploitability

With a CVSS score of 8.9, the flaw is of high severity. No EPSS data is available and the flaw is not listed in the CISA KEV catalog, but the attack vector is a zero-click, email-based exploit that requires no interaction from the bot owner, making it highly likely to be abused by attackers who can execute arbitrary system tools.

Generated by OpenCVE AI on March 27, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply update to nanobot version 0.1.6 or later to patch the email channel processing flaw
  • If an immediate update is not possible, temporarily disable or restrict the email channel to prevent unsolicited emails from being processed
  • Monitor the bot's monitored email address for suspicious activity and block or quarantine untrusted email traffic

Generated by OpenCVE AI on March 27, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.
Title Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling
Weaknesses CWE-1336
CWE-290
CWE-94
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:43:49.193Z

Reserved: 2026-03-23T15:23:42.218Z

Link: CVE-2026-33654

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T20:16:32.363

Modified: 2026-03-27T20:16:32.363

Link: CVE-2026-33654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:30:23Z

Weaknesses