The website provided (nanobot.ai) belongs to a completely different product — the actual tool is github.com/HKUDS/nanobot, a research-lab Python agent with two assigned CVEs including a CVSS 10.0 now patched, an open API-key leakage issue, and no sandboxing by default.
The website provided (https://nanobot.ai/) belongs to an entirely different product — an MCP agent framework by Obot.ai/Acorn Labs — and has no connection to HKUDS nanobot; the canonical source is github.com/HKUDS/nanobot and nanobot.wiki (source: direct fetch of https://www.nanobot.ai/).
CVE-2026-2577 (CVSS 10.0, CRITICAL): the WhatsApp bridge WebSocket server was bound to all network interfaces (0.0.0.0) with no authentication, allowing unauthenticated remote attackers to hijack WhatsApp sessions, read messages, and steal QR codes with no user interaction; patched in v0.1.3.post7 (source: https://radar.offseq.com/threat/cve-2026-2577).
CVE-2026-35589 (CVSS 8.0, HIGH): the initial remediation of CVE-2026-2577 was incomplete — the binding was restricted to localhost and an optional token added, but token authentication remained disabled by default and the Origin header was not validated, leaving cross-site WebSocket hijacking possible; fully fixed in v0.1.5 (source: https://radar.offseq.com/threat/cve-2026-35589-cwe-1385-missing-origin-validation).
The core agent can access its own config.json via the exec() tool, trivially leaking API keys; this is an open unresolved GitHub issue with no official fix as of April 2026 (source: https://github.com/HKUDS/nanobot/issues/1873).
A March 2026 LiteLLM supply chain attack (versions 1.82.7 and 1.82.8 compromised with credential-stealing code) affected the nanobot dependency chain; nanobot had pinned litellm==1.82.1 and users on that pin were unaffected, but the incident was disclosed and discussed in GitHub Discussions (source: https://github.com/HKUDS/nanobot/discussions/2445).