Nanobot < 0.2.1 Denial of Service via Matrix Media Download...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.

Basic Information

ID CVE-2026-49140

Source VulnCheck

Published Jun 1, 2026 at 19:54

Affected Product

Vendor HKUDS

Product nanobot

Affected Versions HKUDS nanobot 0

CWE Classification

CWE-770

References

{
    "lastseen": "",
    "description": "Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.",
    "published": "2026-06-01T19:54:53.921Z",
    "modified": "2026-06-01T19:54:53.921Z",
    "type": "cve",
    "title": "Nanobot < 0.2.1 Denial of Service via Matrix Media Download Handler",
    "source": "VulnCheck",
    "references": "https://github.com/HKUDS/nanobot/releases/tag/v0.2.1\nhttps://github.com/HKUDS/nanobot/pull/4106\nhttps://github.com/HKUDS/nanobot/commit/1d4000560dfff1acb83f5c5ca8ef3ab1f092bd14\nhttps://www.vulncheck.com/advisories/nanobot-denial-of-service-via-matrix-media-download-handler",
    "id": "CVE-2026-49140",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "HKUDS nanobot 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nanobot",
    "version": "0",
    "vendor": "HKUDS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nanobot < 0.2.1 Denial of Service via Matrix Media Download Handler_CVE-2026-49140