Skip to main content

AstrBot CVE-2026-7579

| EUVDEUVD-2026-26498 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-05-01 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
May 04, 2026 - 14:16 vuln.today
Public exploit code
Severity Changed
May 01, 2026 - 12:22 NVD
HIGH MEDIUM
CVSS changed
May 01, 2026 - 12:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
May 01, 2026 - 12:00 vuln.today
EUVD ID Assigned
May 01, 2026 - 11:45 euvd
EUVD-2026-26498
Analysis Generated
May 01, 2026 - 11:45 vuln.today
CVE Published
May 01, 2026 - 11:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authentication and gain partial system access. The vulnerability resides in astrbot/dashboard/routes/auth.py, allowing complete authentication bypass without network complexity or user interaction. A public exploit exists on GitHub, and the vendor has not responded to responsible disclosure attempts, leaving users exposed to credential-based attacks with moderate impact across confidentiality, integrity, and availability (CVSS 7.3). EPSS data not available; KEV status negative indicates no confirmed widespread exploitation despite public POC.

Technical ContextAI

This vulnerability stems from CWE-798 (Use of Hard-coded Credentials), where authentication secrets are embedded directly in the source code of the Dashboard component's authentication route handler (auth.py). The affected product is AstrBot, a chatbot development framework by AstrBotDevs. Hard-coded credentials represent a fundamental security flaw where static, unchangeable authentication tokens or passwords exist in the codebase, accessible to anyone with repository access or through reverse engineering. The CPE string (cpe:2.3:a:astrbotdevs:astrbot) confirms this affects the AstrBot application specifically, with versions through 4.16.0 vulnerable. The Dashboard component appears to be a web-based management interface, making the hard-coded credentials particularly dangerous as they expose administrative functionality. Unlike typical authentication bypass techniques that exploit logic flaws, hard-coded credentials provide direct, deterministic access using fixed values discoverable through static analysis.

RemediationAI

No vendor-released patch has been confirmed at time of analysis-the vendor has not responded to disclosure attempts, and CVSS temporal vector indicates unknown remediation level (RL:X). Users should immediately implement the following compensating controls with specific trade-offs: (1) Disable or restrict network access to the AstrBot Dashboard component entirely by blocking TCP ports used by the web interface through firewall rules-this eliminates remote attack surface but removes legitimate administrative access requiring alternative local-only management; (2) Deploy a reverse proxy (nginx, Apache) with IP whitelisting to permit Dashboard access only from trusted management networks-reduces exposure but requires maintaining IP allowlists and may break remote administration workflows; (3) Monitor the GitHub repository (https://github.com/AstrBotDevs/AstrBot) and Security Advisory (https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-vrqm-xcfv-286r) for community-developed patches or forks addressing the hard-coded credentials; (4) If source code access is available, manually replace hard-coded credentials in auth.py with environment variables or secure credential stores and rebuild from source-requires development expertise and creates an unsupported fork. Given vendor unresponsiveness, organizations with security requirements should evaluate migration to actively maintained alternatives. Detailed exploit methodology is available at https://github.com/Dave-gilmore-aus/security-advisories/blob/main/AstrBot-Security-Advisory for defensive validation.

CVE-2025-48957 HIGH POC
7.5 Jun 02

AstrBot versions 3.4.4 through 3.5.12 contain a path traversal vulnerability (CWE-23) in the dashboard feature that allo

CVE-2026-6118 LOW POC
2.1 Apr 12

Command injection in AstrBot's MCP endpoint handler (add_mcp_server function) allows authenticated remote attackers to e

CVE-2026-15501 LOW POC
2.1 Jul 12

Server-side request forgery in AstrBot's dashboard MCP Test Endpoint allows low-privileged authenticated users to coerce

CVE-2026-10213 LOW POC
2.1 Jun 01

Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skil

CVE-2026-10210 LOW POC
2.1 Jun 01

Injection in AstrBot 4.23.6 allows authenticated remote attackers to manipulate input through the `_sanitize_prompt_desc

CVE-2026-6117 LOW POC
2.1 Apr 12

AstrBot versions up to 4.22.1 allow authenticated remote attackers to bypass sandbox restrictions via malicious file upl

CVE-2026-10212 LOW POC
2.1 Jun 01

Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate th

CVE-2026-10211 LOW POC
2.1 Jun 01

Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions

CVE-2026-8754 LOW POC
2.1 May 17

Path traversal in AstrBot dashboard file upload allows authenticated remote attackers to write files outside intended di

CVE-2026-6119 LOW POC
2.1 Apr 12

Server-side request forgery (SSRF) in AstrBot API endpoint post_data.get allows authenticated remote attackers to perfor

CVE-2026-15500 LOW POC
2.1 Jul 12

Server-side request forgery in AstrBot up to version 4.25.2 allows authenticated remote attackers to cause the server to

CVE-2026-15499 LOW POC
2.1 Jul 12

Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization c

Share

CVE-2026-7579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy