External risk intelligence

Nanobot could allow external attacker to hijack WhatsApp messages and accounts.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-35589

An external attacker can target the nanobot assistant when a user visits a malicious website to take control of their WhatsApp account. This allows the attacker to read private messages, steal sensitive login credentials, and send messages as the user, exposing confidential business communications.

1Halo Surface Signal

Nanobot

before 0.1.5

External exposure likelihood

Halo Surface Signal score for CVE-2026-35589

The vulnerable component is a local-only WebSocket service bound to the localhost address (127.0.0.1) on a user's machine. As client-side software that is not intended for network-level exposure or internet-facing connectivity, it does not represent a public attack surface, even though it can be triggered locally by a browser during a web session.

Horizon Alert

Summary of the vulnerability and why it matters

This Cross-Site WebSocket Hijacking vulnerability in nanobot allows any website to take control of your AI assistant. Because the security fix was incomplete, an attacker can hijack your session, read messages, steal QR codes, and send messages as you.

Hijacked sessions can steal sensitive data.
Users are at risk of impersonation.
An attacker can gain full access to the bridge API.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by tricking a user into visiting a malicious website. This website will then communicate with the vulnerable Nanobot bridge service running on the user's local machine. By leveraging the Cross-Site WebSocket Hijacking flaw, the attacker can hijack the user's WhatsApp session, read messages, and steal QR codes.

Requires user interaction.
Targets local bridge service.
User must run Nanobot bridge.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to weaponize this CVE due to its restricted local access. While the impact of session hijacking is significant, the requirement for a user to visit a malicious website while the vulnerable software is running locally limits its broad exploitability.

Local-only vulnerability.
No public exploit available.
Primarily impacts local user context.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on identifying and isolating nanobot instances using versions prior to 0.1.5, as they are critically vulnerable to Cross-Site WebSocket Hijacking. This allows attackers to hijack sessions, steal QR codes, and send messages.

Upgrade nanobot to version 0.1.5.
Monitor for suspicious WebSocket connections to localhost:3001.
Block access to the WebSocket API if possible.

Frequently asked questions

What is nanobot and what is it used for?

Nanobot is a personal AI assistant designed to help users. It operates via a bridge, which includes a WebSocket server that facilitates communication. The specific use cases are not detailed beyond its function as a personal AI assistant.

What is CVE-2026-35589? What is the weakness class?

CVE-2026-35589 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability affecting nanobot versions before 0.1.5. This weakness, categorized as CWE-1385, allows a malicious website to establish a WebSocket connection to the nanobot bridge and take control of the user's session.

How can an attacker exploit the nanobot vulnerability?

An attacker can exploit this by tricking a user into visiting a malicious website. This website then communicates with the nanobot bridge service running on the user's local machine, exploiting the Cross-Site WebSocket Hijacking flaw. The server does not validate the Origin header during the WebSocket handshake, allowing this cross-origin access. The vulnerability is not triggered if the server explicitly denies cross-origin connections.

Who should care about CVE-2026-35589?

Users running nanobot versions prior to 0.1.5 should be concerned. While the vulnerability targets a local-only service and is not considered internet-facing, any user interacting with potentially malicious websites while nanobot is active could be at risk. The risk is considered very unlikely due to the local nature of the affected component.

What are the first steps to address this nanobot vulnerability?

The immediate first step is to upgrade nanobot to version 0.1.5 or later, as this version contains the fix for the vulnerability. Monitoring for any unusual WebSocket connections to localhost on port 3001 could also be a precautionary measure.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.