{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33654", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.218Z", "datePublished": "2026-03-27T19:43:49.193Z", "dateUpdated": "2026-03-30T18:59:48.689Z"}, "containers": {"cna": {"title": "Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3"}], "affected": [{"vendor": "HKUDS", "product": "nanobot", "versions": [{"version": "< 0.1.4.post6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:43:49.193Z"}, "descriptions": [{"lang": "en", "value": "nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue."}], "source": {"advisory": "GHSA-4gmr-2vc8-7qh3", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:59:44.585899Z", "id": "CVE-2026-33654", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:59:48.689Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue."}], "id": "CVE-2026-33654", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:32.363", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.1.4.post6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nanobot", "source": "cna", "vendor": "HKUDS"}, "product": "nanobot", "vendor": "hkuds"}], "analysis": {"en": {"generated_at": "2026-03-27T22:05:56.701937+00:00", "value": {"mitigation_remediation": ["Apply update to nanobot version 0.1.6 or later to patch the email channel processing flaw", "If an immediate update is not possible, temporarily disable or restrict the email channel to prevent unsolicited emails from being processed", "Monitor the bot's monitored email address for suspicious activity and block or quarantine untrusted email traffic"], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nanobot product from HKUDS; all versions older than 0.1.6 are impacted while version 0.1.6 and later include the necessary patch.", "description_and_impact": "nanobot, a personal AI assistant, contains an indirect prompt injection flaw in its email channel module that allows an unauthenticated attacker to send a single email with malicious prompts to the bot's monitored address; the bot automatically polls and treats the email content as highly trusted input, bypassing channel isolation and enabling the attacker to trigger arbitrary LLM instructions and subsequently execute system tools, effectively granting remote code execution.", "risk_and_exploitability": "With a CVSS score of 8.9, the flaw is of high severity. No EPSS data is available and the flaw is not listed in the CISA KEV catalog, but the attack vector is a zero-click, email-based exploit that requires no interaction from the bot owner, making it highly likely to be abused by attackers who can execute arbitrary system tools."}}}}, "created": "2026-03-29T20:30:23.564753+00:00", "updated": "2026-03-30T07:00:37.920775+00:00", "vendors": ["hkuds", "hkuds$PRODUCT$nanobot"]}