CVE-2026-28800 PUBLISHED

Natro Macro: Malicious actions allowed through Discord RC Commands by any user

Assigner: GitHub_M
Reserved: 03.03.2026 Published: 06.03.2026 Updated: 06.03.2026

Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives access to any user with the permission to send message in said channel access to do anything on their computer. This includes keyboard and mouse inputs and full file access. This issue has been patched in version 1.1.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 6.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	NatroTeam
Product	NatroMacro
Versions	Version < 1.1.0 is affected

References

https://github.com/NatroTeam/NatroMacro/security/advisories/GHSA-ph9r-2qjm-ghvg

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-287: Improper Authentication CWE
CWE-434: Unrestricted Upload of File with Dangerous Type CWE