Nanobot Email Channel Indirect Prompt Injection Vulnerability Allowing Unauthorized Command Execution

A vulnerability allowing indirect prompt injection has been identified in the email channel processing module of Nanobot, prior to version 0.1.6. This issue enables remote, unauthenticated attackers to execute arbitrary instructions through the language model, and subsequently run system tools, without any interaction from the bot owner. The vulnerability arises because the bot automatically polls and processes email content as highly trusted input, bypassing channel isolation. Attackers can exploit this by sending emails with malicious prompts to the bot's monitored email address, resulting in a stealthy, zero-click attack.

Impact

Exploitation of this vulnerability allows for indirect prompt injection and authentication bypass, leading to a complete compromise of the bot's decision-making process. It enables remote, unauthenticated attackers to execute unauthorized commands using the bot's tools, access local files (including sensitive API keys and secrets), or achieve remote code execution if system tools are enabled.

Reproduction

To reproduce this vulnerability, deploy Nanobot with the email channel activated and configured to poll a specific IMAP inbox. Ensure the bot is running and that its 'allow_from' configuration includes a target email address. Then, send an email to the bot's inbox with a spoofed 'From' header matching one of the allowed addresses, including a prompt injection payload in the email body. After the bot's next scheduled IMAP poll, it will fetch the email, mistakenly authorize the spoofed sender, and process the injected payload via the language model, executing the command asynchronously without user interaction.

Remediation

Users can update to Nanobot version 0.1.4.post6 or later, where this vulnerability has been patched.