CVE-2026-28801
Published: 06 March 2026
Summary
CVE-2026-28801 is a medium-severity Code Injection (CWE-94) vulnerability in Natroteam Natro Macro. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique AutoHotKey & AutoIT (T1059.010); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2026-28801 is a code injection vulnerability (CWE-94) affecting Natro Macro, an open-source AutoHotkey-based macro for the Bee Swarm Simulator game. In versions prior to 1.1.0, the software executes arbitrary AutoHotkey (AHK) code embedded within user-supplied pattern or path files. This flaw arises because the macro directly interprets and runs AHK scripts from these files without validation, enabling unintended code execution. The vulnerability carries a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability by crafting and sharing a malicious pattern or path file containing hidden AHK code, leveraging the common practice of users exchanging such files within the Bee Swarm Simulator community. Exploitation requires local access to the victim's system, low privileges, and user interaction to load the file into Natro Macro. Successful exploitation allows the malicious code to execute silently in the background alongside legitimate macro functionality, potentially granting the attacker high-impact access to confidentiality and integrity, such as stealing data, modifying files, or performing other arbitrary actions without affecting availability.
The GitHub security advisory at https://github.com/NatroTeam/NatroMacro/security/advisories/GHSA-c5gm-vfvf-pwhx confirms the issue and states that it has been fully addressed in Natro Macro version 1.1.0, recommending that users upgrade immediately to mitigate the risk. No additional workarounds are detailed in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10008
Vulnerability details
Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, any ahk code contained inside of a pattern or path file is executed by the macro. Since users commonly share path/pattern files, an attacker…
more
could share a file containing malicious code, which is then executed by the program. This code can operate in silence alongside the pattern, running in the background to do whatever the attacker pleases. This issue has been patched in version 1.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables arbitrary AutoHotkey code execution from unvalidated user-supplied files (T1059.010) and requires a user to load the malicious file for exploitation (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of AHK code contained in untrusted pattern/path files before execution, eliminating the injection vector.
Mandates mechanisms to detect and block malicious code embedded in user-shared files before the macro interprets and runs it.
Requires integrity verification of externally supplied pattern/path files to ensure they have not been tampered with to contain hidden AHK payloads.