CVE-2026-33654CRITICAL 9.8EPSS p38.2%

CVE-2026-33654CVE-2026-33654

Description

nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.2% · 2026-06-18T12:00:27Z
Published2026-03-27
Last modified2026-04-08

Underlying weaknesses· 3

CWE-94CWE-290CWE-1336

References

  1. https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3
  2. https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3

3

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live
WeaknessAuthentication Bypass by Spoofingcwe-2900%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-49139
CVE
CVE-2026-35589
CVE
CVE-2025-46059
CVE
CVE-2026-31236
CVE
CVE-2026-10210
CVE
CVE-2026-31854
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.