Cyber Resilience

CVE-2026-2577

Critical

Published: 16 February 2026

Published
16 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0065 46.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2577 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2026-2577 is a critical vulnerability in the WhatsApp bridge component of Nanobot, published on 2026-02-16. The issue stems from the WebSocket server binding to all network interfaces (0.0.0.0) on port 3001 by default, with no authentication required for incoming connections (CWE-306). This configuration exposes the service to remote network access, earning a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

An unauthenticated remote attacker who can reach the affected bridge over the network can connect directly to the WebSocket server and hijack the user's WhatsApp session. Successful exploitation enables the attacker to send messages on behalf of the victim, intercept all incoming messages and media in real-time, and capture authentication QR codes used for session login.

Mitigation details are available in the Nanobot release notes at https://github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7, which addresses the issue, and the Tenable research advisory at https://www.tenable.com/security/research/tra-2026-09.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect…

more

to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote access to the publicly bound WebSocket service directly enables exploitation of a public-facing application (T1190), resulting in WhatsApp session hijacking and message interception.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306
CVE-2025-58083Shared CWE-306
CVE-2025-21515Shared CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates secure configuration settings for the WebSocket server to bind only to localhost or authorized interfaces and enable authentication, directly countering the default insecure binding to 0.0.0.0 on port 3001.

prevent

Requires the WhatsApp bridge WebSocket service to identify and authenticate all incoming connections before granting access, preventing unauthenticated session hijacking.

prevent

Enforces boundary protection mechanisms like firewalls to monitor and control network access to port 3001, blocking remote attackers from reaching the exposed WebSocket server.

References