CVE-2026-49138
Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
12th
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the automatic HTTP redirect following behavior in the httpx library to bypass initial URL validation and cause the runtime to send outbound requests to internal hosts before final resolved URL validation is applied.
| CWE | CWE-918 |
| Vendor | hkuds |
| Product | nanobot |
| Published | Jun 1, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for hkuds nanobot
Be the first to know when new medium vulnerabilities affecting hkuds nanobot are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
HKUDS / nanobot
0 < 0.2.1
References
github.com: https://github.com/HKUDS/nanobot/releases/tag/v0.2.1 github.com: https://github.com/HKUDS/nanobot/pull/3928 github.com: https://github.com/HKUDS/nanobot/commit/545294c62c0947da40eb5b65288aaf02b5fdf632 vulncheck.com: https://www.vulncheck.com/advisories/nanobot-ssrf-via-web-fetch-tool-redirect-following
Credits
Chia Min Jun Lennon