Skip to main content

AstrBot CVE-2026-10213

| EUVD-2026-33534 LOW
Path Traversal (CWE-22)
2026-06-01 VulDB GHSA-pvgx-43cj-688x
Path Traversal Astrbot
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 01, 2026 - 03:22 NVD
MEDIUM LOW
CVSS changed
Jun 01, 2026 - 03:22 NVD
5.4 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 01, 2026 - 02:43 vuln.today

DescriptionCVE.org

A security flaw has been discovered in AstrBotDevs AstrBot 4.23.6. This vulnerability affects unknown code of the file /api/skills/delete of the component API Endpoint. Performing a manipulation of the argument Name results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skills/delete API endpoint to escape the intended directory boundary, enabling unauthorized deletion or corruption of arbitrary files on the host system. The CVSS vector (C:N/I:L/A:L) confirms no confidentiality exposure but meaningful integrity and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege AstrBot credentials
Delivery
Authenticate to the /api/skills/delete endpoint
Exploit
Craft Name parameter with path traversal sequences (e.g., ../../target/file)
Execution
Submit malicious DELETE API request
Persist
Server resolves traversed path outside skills directory
Impact
Target file deleted or corrupted on host filesystem
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated access to the AstrBot instance with at minimum low-privilege credentials, as confirmed by the CVSS vector PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score reflects a network-reachable, low-complexity attack requiring low-privilege authentication (PR:L) with no user interaction - a realistic and repeatable attack posture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege credentials to an AstrBot instance - such as a standard user account - submits a DELETE request to /api/skills/delete with a crafted Name value containing path traversal sequences (e.g., ../../config/settings.yaml) to target files outside the intended skills directory. Because the application constructs the file path without sanitization, the server deletes or corrupts the targeted file, potentially disrupting service or eliminating configuration critical to application integrity. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor did not respond to responsible disclosure, and the CVSS remediation level is listed as undefined (RL:X). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10213 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy