CVE-2026-49140
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
01/06/2026
Last modified:
14/07/2026
Description
Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM
Base Score 3.x
4.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/HKUDS/nanobot/commit/1d4000560dfff1acb83f5c5ca8ef3ab1f092bd14
- https://github.com/HKUDS/nanobot/pull/4106
- https://github.com/HKUDS/nanobot/releases/tag/v0.2.1
- https://www.vulncheck.com/advisories/nanobot-denial-of-service-via-matrix-media-download-handler
- https://github.com/HKUDS/nanobot/pull/4106



