SSRF in Hkuds Nanobot

CVE-2026-49139

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attack…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (32.3th percentile) — read the EPSS interpretation.

Affected products

Hkuds Nanobot — versions 0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

disclosure@vulncheck.com (release-notes)
disclosure@vulncheck.com (issue-tracking)
disclosure@vulncheck.com (patch)
disclosure@vulncheck.com (third-party-advisory)