CVE-2026-49140
MEDIUMNanobot < 0.2.1 - Authenticated Denial of Service via Matrix Media Download Handler
Title source: llmDescription
Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/HKUDS/nanobot/releases/tag/v0.2.1
Issue Tracking issue-tracking
https://github.com/HKUDS/nanobot/pull/4106
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nanobot-denial-of-service-via-matrix-media-download-handler
Scores
CVSS v3
4.3
EPSS
0.0004
EPSS Percentile
13.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (1)
HKUDS/nanobot
< 0.2.1
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026