CVE-2026-31977

Name of the Vulnerable Software and Affected Versions nanobot (affected versions not specified)

Description An issue exists where including the | character in a sender address allows an attacker to bypass the Channel allowlist. This bypass provides full access to the Agent Loop, exposing all tools, files, and network capabilities available to the deployment. The flaw originates from the use of the split('|') function within the base Channel class, which was implemented for Telegram compatibility.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.