Platform
python
Component
nanobot
Fixed in
0.1.5
CVE-2026-33654 describes an authentication bypass vulnerability in nanobot, a personal AI assistant. This flaw allows a remote, unauthenticated attacker to execute arbitrary LLM instructions and potentially system tools without any interaction from the bot owner. The vulnerability affects versions of nanobot prior to 0.1.6 and is addressed in version 0.1.6.
The core of this vulnerability lies in the email channel processing module. An attacker can craft a malicious email containing carefully designed prompts. When nanobot automatically polls, ingests, and processes this email, it treats the content as highly trusted input, completely bypassing channel isolation. This results in a zero-click attack, meaning the bot owner doesn't need to interact with the email for the malicious instructions to be executed. The attacker can then leverage the LLM to execute system tools, potentially gaining unauthorized access and control over the system where nanobot is running. The stealthy nature of this attack, combined with the lack of user interaction, makes it particularly concerning.
This vulnerability was publicly disclosed on 2026-03-27. No public proof-of-concept (PoC) code has been released at the time of writing, but the description details a clear attack vector. The vulnerability's zero-click nature and potential for system tool execution suggest a medium exploitation probability. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
The primary mitigation is to upgrade nanobot to version 0.1.6 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing stricter input validation and sanitization on the email channel. While not a complete solution, this can help reduce the risk of malicious prompts being processed. Additionally, review and restrict the permissions granted to the LLM within nanobot to limit the potential impact of successful prompt injection. Monitor email logs for unusual activity or patterns that might indicate an attempted exploit.
Update nanobot to version 0.1.6 or higher. This version fixes the indirect prompt injection vulnerability in email processing. The update will prevent remote attackers from executing arbitrary LLM instructions without bot owner interaction.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33654 is an authentication bypass vulnerability in nanobot versions prior to 0.1.6, allowing unauthenticated attackers to execute arbitrary LLM instructions via crafted emails.
You are affected if you are using nanobot version 0.1.4.post6 or earlier. Upgrade to version 0.1.6 or later to mitigate the vulnerability.
Upgrade nanobot to version 0.1.6 or later. As a temporary workaround, implement stricter input validation and restrict LLM permissions.
While no active exploitation has been publicly confirmed, the vulnerability's zero-click nature and potential impact make it a high-priority concern.
Refer to the nanobot project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.