Skip to main content

Astrbot CVE-2026-6118

| EUVDEUVD-2026-21712 LOW
Command Injection (CWE-77)
2026-04-12 VulDB GHSA-g599-67fp-qhgv
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 12, 2026 - 05:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 12, 2026 - 05:05 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 05:00 euvd
EUVD-2026-21712
Analysis Generated
Apr 12, 2026 - 05:00 vuln.today
CVE Published
Apr 12, 2026 - 04:45 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was determined in AstrBotDevs AstrBot up to 4.22.1. Impacted is the function add_mcp_server of the file astrbot/dashboard/routes/tools.py of the component MCP Endpoint. This manipulation of the argument command causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Command injection in AstrBot's MCP endpoint handler (add_mcp_server function) allows authenticated remote attackers to execute arbitrary system commands via the command parameter. Versions up to 4.22.1 are affected. The vulnerability is publicly disclosed with exploit code available on GitHub, and the vendor has not released a patch despite early notification.

Technical ContextAI

The vulnerability exists in the MCP (Model Context Protocol) endpoint implementation within astrbot/dashboard/routes/tools.py. The add_mcp_server function fails to properly sanitize or escape the command argument before passing it to system execution, enabling classic command injection (CWE-77). MCP is a protocol for integrating external tools and services into AI assistants. The affected component processes user-supplied command strings without validation, allowing attackers to inject shell metacharacters (pipes, semicolons, command substitution syntax) that are interpreted by the underlying shell interpreter. CPE cpe:2.3:a:astrbotdevs:astrbot identifies all AstrBot releases up to version 4.22.1.

RemediationAI

No vendor-released patch identified at time of analysis. Users should immediately upgrade to a patched version if the vendor releases one, or contact the vendor at https://github.com/AstrBotDevs/AstrBot/ for available security updates. In the interim, implement strong access controls to restrict dashboard access to trusted administrators only, enforce network segmentation to limit dashboard exposure, and monitor MCP endpoint logs for suspicious command patterns. Consider disabling the MCP tool integration if not actively required. The GitHub issue at https://github.com/AstrBotDevs/AstrBot/issues/7169 may contain additional context or community-driven mitigations.

CVE-2025-48957 HIGH POC
7.5 Jun 02

AstrBot versions 3.4.4 through 3.5.12 contain a path traversal vulnerability (CWE-23) in the dashboard feature that allo

CVE-2026-7579 MEDIUM POC
5.5 May 01

Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authent

CVE-2026-15501 LOW POC
2.1 Jul 12

Server-side request forgery in AstrBot's dashboard MCP Test Endpoint allows low-privileged authenticated users to coerce

CVE-2026-10213 LOW POC
2.1 Jun 01

Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skil

CVE-2026-10210 LOW POC
2.1 Jun 01

Injection in AstrBot 4.23.6 allows authenticated remote attackers to manipulate input through the `_sanitize_prompt_desc

CVE-2026-6117 LOW POC
2.1 Apr 12

AstrBot versions up to 4.22.1 allow authenticated remote attackers to bypass sandbox restrictions via malicious file upl

CVE-2026-10212 LOW POC
2.1 Jun 01

Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate th

CVE-2026-10211 LOW POC
2.1 Jun 01

Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions

CVE-2026-8754 LOW POC
2.1 May 17

Path traversal in AstrBot dashboard file upload allows authenticated remote attackers to write files outside intended di

CVE-2026-6119 LOW POC
2.1 Apr 12

Server-side request forgery (SSRF) in AstrBot API endpoint post_data.get allows authenticated remote attackers to perfor

CVE-2026-15500 LOW POC
2.1 Jul 12

Server-side request forgery in AstrBot up to version 4.25.2 allows authenticated remote attackers to cause the server to

CVE-2026-15499 LOW POC
2.1 Jul 12

Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization c

Share

CVE-2026-6118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy