Cyber Resilience

CVE-2026-33654

HighPublic PoCRCE

Published: 27 March 2026

Published
27 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33654 is a high-severity Code Injection (CWE-94) vulnerability in Nanobot Nanobot. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33654 is an indirect prompt injection vulnerability in the email channel processing module (nanobot/channels/email.py) of nanobot, a personal AI assistant. The flaw affects versions prior to 0.1.6 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with associated CWEs-94 (Code Injection), CWE-290 (Authentication Bypass), and CWE-1336 (Inequivalent Security Check in Implementation).

A remote, unauthenticated attacker can exploit this vulnerability by sending an email containing malicious prompts to the bot's monitored email address. The bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation. This enables execution of arbitrary LLM instructions and subsequently system tools without any interaction from the bot owner, resulting in a stealthy, zero-click attack with high confidentiality, integrity, and availability impacts.

The GitHub security advisory (GHSA-4gmr-2vc8-7qh3) states that version 0.1.6 patches the issue. Security practitioners should upgrade to this version to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction…

more

from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, llm, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability enables remote unauthenticated exploitation of public-facing email processing module via crafted malicious prompts, leading to arbitrary LLM and system tool execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35589Same product: Nanobot Nanobot
CVE-2026-1868Shared CWE-1336
CVE-2026-45714Shared CWE-1336, CWE-94
CVE-2025-65602Shared CWE-1336, CWE-94
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2018-25316Shared CWE-290
CVE-2024-32641Shared CWE-94
CVE-2025-63665Shared CWE-94

Affected Assets

nanobot
nanobot
0.1.4 · ≤ 0.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates email inputs to prevent malicious prompts from being ingested and processed as trusted content by the LLM.

prevent

Restricts information inputs from the email channel to block unauthorized or malformed prompts that bypass channel isolation.

prevent

Enforces flow control policies to maintain channel isolation, preventing untrusted email content from reaching LLM instructions and system tools.

References