CVE-2026-35589: CWE-1385: Missing Origin Validation in WebSockets in HKUDS nanobot
CVE-2026-35589 is a high-severity vulnerability in versions of HKUDS nanobot prior to 0. 1. 5. It involves missing Origin header validation in the WebSocket server, allowing Cross-Site WebSocket Hijacking (CSWSH). An attacker can exploit this by establishing a WebSocket connection from a malicious website to the local bridge server, gaining full access to the bridge API. This enables hijacking WhatsApp sessions, reading messages, stealing authentication QR codes, and sending messages as the user. The issue was fixed in version 0. 1. 5.
AI Analysis
Technical Summary
The vulnerability arises from incomplete remediation of a previous issue (CVE-2026-2577). Although the server binding was restricted to localhost and an optional token authentication was introduced, token authentication is disabled by default and the server does not validate the Origin header during the WebSocket handshake. Browsers do not enforce Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, allowing any website visited by the user to connect to ws://127.0.0.1:3001/ and fully control the bridge API. This can lead to session hijacking and unauthorized message access and sending. The vulnerability is resolved in nanobot version 0.1.5.
Potential Impact
Successful exploitation allows an attacker to hijack the WhatsApp session managed by the nanobot bridge, read incoming messages, steal authentication QR codes, and send messages on behalf of the user. This compromises user privacy and account integrity. The CVSS score is 8.0 (high), reflecting network attack vector, high impact on confidentiality and integrity, and requiring user interaction with a malicious website.
Mitigation Recommendations
This vulnerability is fixed in nanobot version 0.1.5. Users and administrators should upgrade to version 0.1.5 or later to remediate this issue. Since no official patch link or vendor advisory is provided, verify the upgrade from the official HKUDS nanobot release channels. Until upgraded, users should avoid visiting untrusted websites while running vulnerable versions of the bridge. Patch status is not explicitly confirmed by a vendor advisory but the description states the issue is fixed in 0.1.5.
CVE-2026-35589: CWE-1385: Missing Origin Validation in WebSockets in HKUDS nanobot
Description
CVE-2026-35589 is a high-severity vulnerability in versions of HKUDS nanobot prior to 0. 1. 5. It involves missing Origin header validation in the WebSocket server, allowing Cross-Site WebSocket Hijacking (CSWSH). An attacker can exploit this by establishing a WebSocket connection from a malicious website to the local bridge server, gaining full access to the bridge API. This enables hijacking WhatsApp sessions, reading messages, stealing authentication QR codes, and sending messages as the user. The issue was fixed in version 0. 1. 5.
CVSS v3.1
Score 8.0high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from incomplete remediation of a previous issue (CVE-2026-2577). Although the server binding was restricted to localhost and an optional token authentication was introduced, token authentication is disabled by default and the server does not validate the Origin header during the WebSocket handshake. Browsers do not enforce Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, allowing any website visited by the user to connect to ws://127.0.0.1:3001/ and fully control the bridge API. This can lead to session hijacking and unauthorized message access and sending. The vulnerability is resolved in nanobot version 0.1.5.
Potential Impact
Successful exploitation allows an attacker to hijack the WhatsApp session managed by the nanobot bridge, read incoming messages, steal authentication QR codes, and send messages on behalf of the user. This compromises user privacy and account integrity. The CVSS score is 8.0 (high), reflecting network attack vector, high impact on confidentiality and integrity, and requiring user interaction with a malicious website.
Mitigation Recommendations
This vulnerability is fixed in nanobot version 0.1.5. Users and administrators should upgrade to version 0.1.5 or later to remediate this issue. Since no official patch link or vendor advisory is provided, verify the upgrade from the official HKUDS nanobot release channels. Until upgraded, users should avoid visiting untrusted websites while running vulnerable versions of the bridge. Patch status is not explicitly confirmed by a vendor advisory but the description states the issue is fixed in 0.1.5.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T20:09:02.828Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dec76b82d89c981f15e829
Added to database: 4/14/2026, 11:02:03 PM
Last enriched: 4/22/2026, 6:44:52 AM
Last updated: 5/29/2026, 10:46:10 PM
Views: 217
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.