CVE-2026-33654: Nanobot AI Assistant Indirect Prompt Injection via Email Channel

Date: 2026-04-04
Tags: malicious-tool, malware

Executive Summary

An indirect prompt injection vulnerability in nanobot's email channel processing module allows remote, unauthenticated attackers to execute arbitrary LLM instructions and system tools without user interaction by sending malicious prompts via email, bypassing channel isolation in a stealthy zero-click attack (CVSS 8.9, HIGH severity).

Campaign Summary

Detailed Findings

Prior to version 0.1.6, the email channel processing module in nanobot (nanobot/channels/email.py) allows remote, unauthenticated attackers to execute arbitrary LLM instructions and subsequently system tools without any interaction from the bot owner. By sending an email containing malicious prompts to the bot's monitored email address, the bot automatically polls, ingests, and processes the email content as highly trusted input, fully bypassing channel isolation. Version 0.1.6 patches the issue. This represents a novel zero-click attack surface for personal AI assistants that monitor email channels, as the attacker requires no user action to trigger malicious behavior.

MITRE ATT&CK Mapping

IOCs

Domains

_GitHub advisory CVE-2026-33654; no IOCs published_

Full URL Paths

_GitHub advisory CVE-2026-33654; no IOCs published_

Splunk Format

_No IOCs available for Splunk query_

Package Indicators

nanobot < 0.1.6

Detection Recommendations

Monitor nanobot deployments running versions < 0.1.6; review email logs for suspicious prompts; implement input validation on email-sourced content before LLM processing; deploy prompt injection detection on email-triggered agent workflows; isolate nanobot instances from sensitive systems.

References

• [CVE Threat Intelligence] CVE-2026-33654: Nanobot indirect prompt injection via email (2026-03-27) — https://cve.threatint.eu/CVE/CVE-2026-33654