CVE-2026-49138
5.0 MEDIUMNanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to...
Published: 2026-06-01 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 5.0 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
- CWE
- CWE-918
Description
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the automatic HTTP redirect following behavior in the httpx library to bypass initial URL validation and cause the runtime to send outbound requests to internal hosts before final resolved URL validation is applied.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49138
- [Other]https://github.com/HKUDS/nanobot/commit/545294c62c0947da40eb5b65288aaf02b5fdf632
- [Other]https://github.com/HKUDS/nanobot/pull/3928
- [Other]https://github.com/HKUDS/nanobot/releases/tag/v0.2.1
- [Other]https://www.vulncheck.com/advisories/nanobot-ssrf-via-web-fetch-tool-redirect-following
- [Other]https://github.com/HKUDS/nanobot/pull/3928
Related CVEs
Same CWE
- CVE-2026-12210 — A vulnerability was detected in universal-tool-calling-protocol python-utcp 1.1.0 (6.3 MEDIUM)
- CVE-2026-53827 — OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata ... (6.5 MEDIUM)
- CVE-2026-47268 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.4 MEDIUM)
- CVE-2026-46717 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (7.7 HIGH)
- CVE-2026-53607 — ApostropheCMS is an open-source Node.js content management system (3.7 LOW)