CVE-2026-35589

HighPublic PoC

Published: 14 April 2026

Published

14 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0002 5.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35589 is a high-severity Missing Origin Validation in WebSockets (CWE-1385) vulnerability in Nanobot Nanobot. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations by requiring the WebSocket server to validate the Origin header during handshakes, preventing cross-site connections to the local bridge API.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of inputs such as the Origin header in WebSocket handshakes to reject unauthorized cross-origin requests from malicious websites.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation by patching to nanobot version 0.1.5, which fixes the incomplete CSWSH remediation including Origin validation and token authentication.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

Exploited via malicious website visit enabling cross-site WebSocket access to local bridge API (T1189 Drive-by Compromise); facilitates stealing authentication QR codes and hijacking WhatsApp session (T1528 Steal Application Access Token).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0…

to 127.0.0.1 and added an optional BRIDGE_TOKEN parameter, but token authentication is disabled by default and the server does not validate the Origin header during the WebSocket handshake. Because browsers do not enforce the Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, any website visited by a user running the bridge can establish a WebSocket connection to ws://127.0.0.1:3001/ and gain full access to the bridge API. This allows an attacker to hijack the WhatsApp session, read incoming messages, steal authentication QR codes, and send messages on behalf of the user. This issue has bee fixed in version 0.1.5.

Deeper analysisAI

CVE-2026-35589 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability affecting nanobot, a personal AI assistant, in versions prior to 0.1.5. The issue exists in the bridge's WebSocket server at bridge/src/server.ts and results from an incomplete remediation of CVE-2026-2577. Although the prior fix rebound the server from 0.0.0.0 to 127.0.0.1 and introduced an optional BRIDGE_TOKEN parameter, token authentication remains disabled by default, and the server does not validate the Origin header during WebSocket handshakes.

A remote attacker with no privileges can exploit this vulnerability by tricking a user into visiting a malicious website, which requires user interaction. Browsers do not enforce the Same-Origin Policy on WebSockets unless explicitly denied by the server, allowing the malicious site to connect to ws://127.0.0.1:3001/ and gain full access to the bridge API. This enables hijacking the user's WhatsApp session, reading incoming messages, stealing authentication QR codes, and sending messages on behalf of the user. The CVSS v3.1 base score is 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N), with associated CWE-1385.

The vulnerability is fixed in nanobot version 0.1.5. Mitigation involves updating to this version, as detailed in the GitHub security advisory at https://github.com/HKUDS/nanobot/security/advisories/GHSA-v5j3-4q66-58cf and release notes at https://github.com/HKUDS/nanobot/releases/tag/v0.1.5.

Details

CWE(s): CWE-1385

Affected Products

nanobot

≤ 0.1.5

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-33654Same product: Nanobot Nanobot

CVE-2026-34403Shared CWE-1385

CVE-2024-48849Shared CWE-1385

CVE-2025-68930Shared CWE-1385

CVE-2025-24964Shared CWE-1385

References

https://github.com/HKUDS/nanobot/releases/tag/v0.1.5
Product, Release Notes · security-advisories@github.com
https://github.com/HKUDS/nanobot/security/advisories/GHSA-v5j3-4q66-58cf
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/HKUDS/nanobot/security/advisories/GHSA-v5j3-4q66-58cf
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0