Home / Vulnerability Intelligence / CVE-2026-2577

CVE-2026-2577 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: February 16, 2026

Nanobot WhatsApp bridge - Authentication Bypass

Published: February 16, 2026Updated: February 16, 2026Remote Exploitable

Overview

Nanobot WhatsApp bridge binds WebSocket server to all interfaces on port 3001 without authentication, letting unauthenticated remote attackers hijack WhatsApp sessions, send messages, intercept media, and capture QR codes, exploit requires network access.

Severity & Score

Severity: Critical

CVSS Score: 10.0

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers with network access can hijack WhatsApp sessions, send messages, intercept communications, and capture authentication data.

Mitigation

Restrict WebSocket server binding to trusted interfaces and implement authentication for incoming connections.

References

Social Media Activity(2 posts)

Offensive Sequence

@offseq

Feb 16, 2026

🔴 CVE-2026-2577: CRITICAL vuln in HKUDS nanobot WhatsApp bridge (port 3001) — no auth required for WebSocket! Attackers can hijack sessions & intercept messages. Restrict access & monitor traffic. https://radar.offseq.com/threat/cve-2026-2577-cwe-306-missing-authentication-for-c-d0d526e7 #OffSeq #CVE20262577 #Infosec #Vuln

View original post

Offensive Sequence

@offseq

Feb 16, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-2577
Severity: Critical
CVSS Score: 10.0
Type: broken_authentication
Status: new
EPSS: 0.0%
Social Posts: 2

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days