What is CVE-2026-2577?

CVE-2026-2577 is a critical-severity vulnerability in Hkuds Nanobot, classified under Missing Authentication for Critical Function. CVSS score: 10.0/10. Published 2026-02-16.

How severe is CVE-2026-2577?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Auth bypass in Hkuds Nanobot

CVE-2026-2577

The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network a…

Vulnerability class: Broken Authentication

EPSS: 0.001 (24.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.

Affected products

Hkuds Nanobot — versions 0

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

www.tenable.com/security/research/tra-2026-09
github.com/HKUDS/nanobot/releases/tag/v0.1.3.post7

Frequently asked questions

What is CVE-2026-2577?: CVE-2026-2577 is a critical-severity vulnerability in Hkuds Nanobot, classified under Missing Authentication for Critical Function. CVSS score: 10.0/10. Published 2026-02-16.
How severe is CVE-2026-2577?: Critical severity. CVSS v3 base score is 10.0 out of 10.