CVE-2026-2577
Published: 16 February 2026
Summary
CVE-2026-2577 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-9 (Service Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates secure configuration settings for the WebSocket server to bind only to localhost or authorized interfaces and enable authentication, directly countering the default insecure binding to 0.0.0.0 on port 3001.
Requires the WhatsApp bridge WebSocket service to identify and authenticate all incoming connections before granting access, preventing unauthenticated session hijacking.
Enforces boundary protection mechanisms like firewalls to monitor and control network access to port 3001, blocking remote attackers from reaching the exposed WebSocket server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote access to the publicly bound WebSocket service directly enables exploitation of a public-facing application (T1190), resulting in WhatsApp session hijacking and message interception.
NVD Description
The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network access to the bridge can connect…
more
to the WebSocket server to hijack the WhatsApp session. This allows the attacker to send messages on behalf of the user, intercept all incoming messages and media in real-time, and capture authentication QR codes.
Deeper analysisAI
CVE-2026-2577 is a critical vulnerability in the WhatsApp bridge component of Nanobot, published on 2026-02-16. The issue stems from the WebSocket server binding to all network interfaces (0.0.0.0) on port 3001 by default, with no authentication required for incoming connections (CWE-306). This configuration exposes the service to remote network access, earning a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
An unauthenticated remote attacker who can reach the affected bridge over the network can connect directly to the WebSocket server and hijack the user's WhatsApp session. Successful exploitation enables the attacker to send messages on behalf of the victim, intercept all incoming messages and media in real-time, and capture authentication QR codes used for session login.
Mitigation details are available in the Nanobot release notes at https://github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7, which addresses the issue, and the Tenable research advisory at https://www.tenable.com/security/research/tra-2026-09.
Details
- CWE(s)