Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling

8.9 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.

Basic Information

ID CVE-2026-33654

Source GitHub_M

Published Mar 27, 2026 at 19:43

Modified Mar 30, 2026 at 18:59

Affected Product

Vendor HKUDS

Product nanobot

Version < 0.1.4.post6

Affected Versions HKUDS nanobot < 0.1.4.post6

CWE Classification

CWE-94 CWE-290 CWE-1336

References

github.com /HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3

{
    "lastseen": "",
    "description": "nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation and resulting in a stealthy, zero-click attack. Version 0.1.6 patches the issue.",
    "published": "2026-03-27T19:43:49.193Z",
    "modified": "2026-03-30T18:59:48.689Z",
    "type": "cve",
    "title": "Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling",
    "source": "GitHub_M",
    "references": "https://github.com/HKUDS/nanobot/security/advisories/GHSA-4gmr-2vc8-7qh3",
    "id": "CVE-2026-33654",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-290",
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "HKUDS nanobot < 0.1.4.post6",
    "sourceHref": "",
    "cvss": {
        "score": 8.9,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nanobot",
    "version": "< 0.1.4.post6",
    "vendor": "HKUDS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling_CVE-2026-33654