CVE-2026-33654

CriticalPublic PoCRCE

Published: 27 March 2026

Published

27 March 2026

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33654 is a critical-severity Code Injection (CWE-94) vulnerability in Nanobot Nanobot. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates email inputs to prevent malicious prompts from being ingested and processed as trusted content by the LLM.

SI-9 Information Input Restrictions good match

prevent

Restricts information inputs from the email channel to block unauthorized or malformed prompts that bypass channel isolation.

AC-4 Information Flow Enforcement good match

prevent

Enforces flow control policies to maintain channel isolation, preventing untrusted email content from reaching LLM instructions and system tools.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote unauthenticated exploitation of public-facing email processing module via crafted malicious prompts, leading to arbitrary LLM and system tool execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction…

from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.

Deeper analysisAI

CVE-2026-33654 is an indirect prompt injection vulnerability in the email channel processing module (nanobot/channels/email.py) of nanobot, a personal AI assistant. The flaw affects versions prior to 0.1.6 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with associated CWEs-94 (Code Injection), CWE-290 (Authentication Bypass), and CWE-1336 (Inequivalent Security Check in Implementation).

A remote, unauthenticated attacker can exploit this vulnerability by sending an email containing malicious prompts to the bot's monitored email address. The bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation. This enables execution of arbitrary LLM instructions and subsequently system tools without any interaction from the bot owner, resulting in a stealthy, zero-click attack with high confidentiality, integrity, and availability impacts.

The GitHub security advisory (GHSA-4gmr-2vc8-7qh3) states that version 0.1.6 patches the issue. Security practitioners should upgrade to this version to mitigate the vulnerability.