CVE-2026-35589

Name of the Vulnerable Software and Affected Versions nanobot versions prior to 0.1.5

Description A Cross-Site WebSocket Hijacking (CSWSH) issue exists in the bridge's WebSocket server within bridge/src/server.ts. The server does not validate the Origin header during the WebSocket handshake, and token authentication via the BRIDGE TOKEN parameter is disabled by default. Since browsers do not enforce the Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, any website visited by a user can establish a connection to the endpoint 'ws://127.0.0.1:3001/'. This allows an attacker to gain full access to the bridge API, hijack the WhatsApp session, read incoming messages, steal authentication QR codes, and send messages on behalf of the user.

Recommendations Update to version 0.1.5.