What happened
nanobot versions 0.1.5.post3 and prior (CVSS 8.7 HIGH, NVD June 18, 2026) contain a path traversal vulnerability in the WhatsApp bridge (bridge/src/whatsapp.ts). The bridge constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitisation. An attacker can send a WhatsApp message with a crafted fileName (e.g. '../../.ssh/authorized_keys') to write arbitrary files to the host filesystem, enabling remote code execution.
Why it matters
nanobot is a personal AI assistant that bridges WhatsApp messages to AI model APIs. This vulnerability allows any WhatsApp user who can message the nanobot instance to write arbitrary files on the host — a classic path traversal-to-RCE that completely compromises the AI assistant's host machine, including any model credentials, API keys, or private data stored on it.
Attack vector
Attacker sends a WhatsApp document message to the nanobot instance with a crafted fileName containing path traversal sequences. The bridge writes the document content to the attacker-specified path on the host filesystem, enabling arbitrary file write and subsequent RCE.
Affected systems
nanobot ≤ 0.1.5.post3 (HKUDS/nanobot)
Mitigation
Update nanobot beyond 0.1.5.post3. See GitHub Security Advisory: https://github.com/HKUDS/nanobot/security/advisories/GHSA-3f63-vcp3-hvqr