How is CVE-2026-49139 exploited?

Network reachability (required): The attacker must reach the Nanobot Teams webhook endpoint over the network to deliver the forged activity payload. Authentication (not-required): No credentials or session are needed; the Teams webhook accepts inbound activities without prior authentication by the sender. Victim interaction (not-required): No user action is required; the bot processes the malicious activity and forwards tokens autonomously. Attack complexity (info): Base exploit logic is straightforward, but the CVSS AT:P token indicates a prerequisite condition (the bot must have an active conversation reference that can be poisoned) must be in place before the attack succeeds.

What is the impact of CVE-2026-49139?

Reads Bot Framework bearer tokens transmitted in Authorization headers, giving the attacker credentials to call Bot Framework and Microsoft Graph APIs as the bot identity. Modifies downstream bot behavior by redirecting reply traffic, allowing the attacker to intercept or alter messages the bot sends to users. Grants persistent access as long as the poisoned conversation reference remains stored, meaning token exfiltration can continue across multiple bot interactions without re-exploitation.

Back to search

HIGHCVE-2026-49139Published 2026-06-01Modified 2026-06-02CNA VulnCheck

CVE-2026-49139: Nanobot < 0.2.1 SSRF via Microsoft Teams Channel serviceUrl Poisoning

Q: What is CVE-2026-49139?

Server-side request forgery (SSRF) in Nanobot, a Microsoft Teams bot framework library, affects all versions before 0.2.1. The vulnerability is reachable over the network with no authentication required: an attacker sends a crafted inbound activity to the Teams webhook with a forged serviceUrl, poisoning the stored conversation reference so the bot's subsequent replies carry Bot Framework bearer tokens to an attacker-controlled host. Successful exploitation results in theft of those bearer tokens, which can then be used to impersonate the bot and interact with downstream Microsoft services. A patched-image rebuild at version 0.2.1 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-49139 fixed?

A patched-image rebuild pinned to Nanobot 0.2.1 becomes available through HarborGuard once the fix version is resolved against the affected image layers. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: 0.2.1
Affected Products: 1

HarborGuard Analysis

Synopsis

Server-side request forgery (SSRF) in Nanobot, a Microsoft Teams bot framework library, affects all versions before 0.2.1. The vulnerability is reachable over the network with no authentication required: an attacker sends a crafted inbound activity to the Teams webhook with a forged serviceUrl, poisoning the stored conversation reference so the bot's subsequent replies carry Bot Framework bearer tokens to an attacker-controlled host. Successful exploitation results in theft of those bearer tokens, which can then be used to impersonate the bot and interact with downstream Microsoft services. A patched-image rebuild at version 0.2.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49139 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Nanobot library. Any image whose dependency manifest resolves to a Nanobot version below 0.2.1 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.0 HIGH using the published CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the team inbox or ticketing integration configured by the customer organization, with severity label and affected image list attached.

Available

Patch

A patched-image rebuild pinned to Nanobot 0.2.1 becomes available through HarborGuard once the fix version is resolved against the affected image layers. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Nanobot Teams webhook endpoint over the network to deliver the forged activity payload.
AuthenticationNot required
No credentials or session are needed; the Teams webhook accepts inbound activities without prior authentication by the sender.
Victim interactionNot required
No user action is required; the bot processes the malicious activity and forwards tokens autonomously.
Attack complexityDetail
Base exploit logic is straightforward, but the CVSS AT:P token indicates a prerequisite condition (the bot must have an active conversation reference that can be poisoned) must be in place before the attack succeeds.

Blast Radius

Reads Bot Framework bearer tokens transmitted in Authorization headers, giving the attacker credentials to call Bot Framework and Microsoft Graph APIs as the bot identity.
Modifies downstream bot behavior by redirecting reply traffic, allowing the attacker to intercept or alter messages the bot sends to users.
Grants persistent access as long as the poisoned conversation reference remains stored, meaning token exfiltration can continue across multiple bot interactions without re-exploitation.

How HarborGuard Handles This

Available on HarborGuard: images containing Nanobot below 0.2.1 are flagged within minutes of the CVE entering the feed, with a HIGH severity label and a direct reference to the affected dependency layer. A rebuild at 0.2.1 is available for any matched image. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads; the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For teams that review patches manually, the finding routes to the configured team inbox with the fix version pre-populated. Because this vulnerability allows bearer-token theft via a poisoned serviceUrl, teams should also consider network-policy controls that restrict outbound HTTP from the bot container to known Microsoft service endpoints only, limiting the value of any successfully poisoned redirect while a code fix is staged.

See how HarborGuard automates this

Fix available

0.2.1

Patch commits

github.com

Affected packages

HKUDS / nanobot
< 0.2.1 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available