Total Dominion: The CVSS 10.0 Flaw in Nanobot Allowing Hackers to Hijack Your WhatsApp

Security researchers from Tenable have unearthed a critical vulnerability, designated CVE-2026-2577, within the prominent AI assistant Nanobot, a tool designed to interface WhatsApp with large language models. This security flaw was assigned a maximum severity rating of 10.0 on the CVSS scale.

The defect originated within Nanobot’s internal component communication architecture. Its WebSocket server was discovered to accept connections indiscriminately, lacking any form of authentication or identity verification. Consequently, any actor with network access to the environment where the software was operating could establish a connection via port 3001, thereby exerting total dominion over the linked WhatsApp account. This exploit facilitated the real-time interception of all incoming correspondence, the dissemination of messages under the victim’s guise, and the hijacking of QR codes during the authentication phase—effectively usurping the session before its formal establishment.

The vulnerability was identified by researcher Joshua Martinelle, who facilitated a responsible disclosure to the development team. Tenable initially established contact with the Nanobot architects on February 6, 2026; a remediation was subsequently deployed by February 13, concluding the resolution process within a mere week. The corrective patch has been integrated into version v0.1.3.post7, and all users are stringently advised to implement the update immediately.