Description
nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes them to disk using a filename derived from the sender's message via documentMessage.fileName, which is concatenated with a prefix and its raw value is passed directly to path.join(mediaDir, outFilename). Node.js path.join resolves .. components, allowing an attacker to escape the intended media/ directory by sending a document with a crafted fileName such as ../../../.ssh/authorized_keys. Because the attacker also controls the file content (the downloaded buffer), this is a write-anywhere primitive — both path and content are attacker-controlled. A fix for this issue is planned for version 0.1.5.post4.
Published: 2026-06-18
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the nanobot WhatsApp bridge concatenates a document message's fileName field directly into a file system path without sanitization. The path is then passed to Node.js path.join, which resolves any '..' components, allowing an attacker to escape the intended media directory. The attacker also controls the file content, giving them a write-anywhere primitive. By crafting a fileName such as '../../../.ssh/authorized_keys' and sending a suitable document, an attacker can overwrite privileged files or drop malicious payloads, leading to remote code execution or privilege escalation.

Affected Systems

The affected vendor is HKUDS, product nanobot. Versions 0.1.5.post3 and all earlier releases contain the flaw. The product is a personal AI assistant that communicates via WhatsApp.

Risk and Exploitability

With a CVSS score of 8.7, the flaw poses high severity. The EPSS score is unavailable and the vulnerability is not listed in CISA's KEV catalog, but the path traversal and arbitrary write mechanism make exploitation straightforward for a sender controlling WhatsApp messages. The likely attack vector involves an attacker sending a crafted document through the WhatsApp bridge. Successful exploitation could enable remote code execution or compromise system files such as SSH authorized_keys.

Generated by OpenCVE AI on June 18, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to nanobot version 0.1.5.post4 or later, which contains the planned fix for the path traversal issue.
  • If an upgrade is not immediately possible, modify the WhatsApp bridge to sanitize the fileName field before joining the path, removing any '..' components and rejecting unsafe characters.
  • As a temporary containment, block or monitor incoming WhatsApp document messages from untrusted senders, or restrict file write permissions in the media directory to prevent accidental overwrites.

Generated by OpenCVE AI on June 18, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds nanobot
Vendors & Products Hkuds
Hkuds nanobot

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes them to disk using a filename derived from the sender's message via documentMessage.fileName, which is concatenated with a prefix and its raw value is passed directly to path.join(mediaDir, outFilename). Node.js path.join resolves .. components, allowing an attacker to escape the intended media/ directory by sending a document with a crafted fileName such as ../../../.ssh/authorized_keys. Because the attacker also controls the file content (the downloaded buffer), this is a write-anywhere primitive — both path and content are attacker-controlled. A fix for this issue is planned for version 0.1.5.post4.
Title nanobot: Path traversal via unsanitized WhatsApp document fileName enables arbitrary file write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:41:03.264Z

Reserved: 2026-05-22T18:47:27.755Z

Link: CVE-2026-48716

cve-icon Vulnrichment

Updated: 2026-06-22T15:40:24.810Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')