Cross-Site WebSocket Hijacking in Nanobot AI Personal Assistant
CVE-2026-35589

8HIGH

Key Information:

Vendor: Hkuds
Status: Nanobot
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-35589?

The nanobot AI personal assistant contains a Cross-Site WebSocket Hijacking vulnerability due to an incomplete fix related to previous security issues. The vulnerability arises from the WebSocket server's configuration, which has not properly enforced Origin header validation during handshakes. This oversight allows remote websites to establish unauthorized WebSocket connections to the nanobot instance, potentially granting attackers access to sensitive user data, including WhatsApp sessions, messages, and authentication tokens. Users of versions prior to 0.1.5 are strongly advised to upgrade to the latest version to mitigate this risk.

Affected Version(s)

nanobot < 0.1.5

References

https://github.com/HKUDS/nanobot/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/HKUDS/nanobot/releases/tag/v0.1.5

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35589 Data

JSON

Hkuds

What is CVE-2026-35589?

Affected Version(s)

References

CVSS V3.1

Timeline