Skip to main content

AstrBot CVE-2026-8754

| EUVDEUVD-2026-30700 LOW
Path Traversal (CWE-22)
2026-05-17 VulDB GHSA-f63h-wc26-pmvc
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 17, 2026 - 13:22 NVD
MEDIUM LOW
CVSS changed
May 17, 2026 - 13:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 17, 2026 - 13:00 vuln.today
Analysis Generated
May 17, 2026 - 13:00 vuln.today

DescriptionCVE.org

A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 4.23.6 is recommended to address this issue. The patch is identified as aaec41e5054569ceaa1113593a34da7568e2d211. You should upgrade the affected component.

AnalysisAI

Path traversal in AstrBot dashboard file upload allows authenticated remote attackers to write files outside intended directories via manipulated filenames. Affected versions through 4.23.5 fail to sanitize user-supplied filenames in the post_file function, enabling directory traversal sequences (../, ..\ ) to bypass access controls. Publicly available exploit code exists (GitHub Gist by YLChen-007). Vendor-released patch in version 4.23.6 implements filename sanitization using PurePosixPath normalization and path validation to prevent traversal. CVE assigned CVSS 6.3 (Medium) with low-privilege remote exploitation confirmed. No CISA KEV listing indicates exploitation remains targeted rather than widespread.

Technical ContextAI

This vulnerability exploits CWE-22 (Path Traversal) in AstrBot's Python-based web dashboard, specifically in the chat route's file upload handler (astrbot/dashboard/routes/chat.py). The vulnerable code directly concatenates user-controlled filename input with the attachments directory path using os.path.join without validation. Because os.path.join does not prevent directory traversal sequences, attackers can supply filenames containing '../' (POSIX) or '..\' (Windows) to write files to arbitrary filesystem locations. The commit diff shows the fix introduces _sanitize_upload_filename() which normalizes backslashes to forward slashes, extracts only the base filename using PurePosixPath().name (stripping directory components), removes null bytes, and validates the resolved path stays within attachments_dir using Path.is_relative_to(). Unit tests confirm the sanitization blocks '../../outside.txt', 'C:\fakepath\photo.png', and embedded null bytes. This affects Python web applications using user-supplied filenames in filesystem operations without canonicalization.

RemediationAI

Upgrade to AstrBot version 4.23.6 or later, confirmed patched per GitHub release tag v4.23.6 (https://github.com/AstrBotDevs/AstrBot/releases/tag/v4.23.6) and commit aaec41e5054569ceaa1113593a34da7568e2d211 (https://github.com/AstrBotDevs/AstrBot/commit/aaec41e5054569ceaa1113593a34da7568e2d211). The patch implements comprehensive filename sanitization including path normalization, basename extraction, null-byte stripping, and directory containment validation. If immediate upgrade is not feasible, implement compensating controls: (1) Restrict dashboard access to trusted internal networks only via firewall rules, reducing remote attack surface but limiting legitimate remote administration; (2) Apply web application firewall rules to block HTTP requests containing '../', '..\ ', '%2e%2e', or null bytes (%00) in file upload parameters, though this may cause false positives with legitimate filenames containing URL-encoded characters; (3) Run the AstrBot process under a dedicated low-privilege user account with write permissions restricted to only the attachments directory, limiting traversal impact to that user's accessible paths but requiring filesystem permission reconfiguration. None of these workarounds fully mitigate the vulnerability-upgrading to 4.23.6 is the recommended solution.

CVE-2025-48957 HIGH POC
7.5 Jun 02

AstrBot versions 3.4.4 through 3.5.12 contain a path traversal vulnerability (CWE-23) in the dashboard feature that allo

CVE-2026-7579 MEDIUM POC
5.5 May 01

Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authent

CVE-2026-6118 LOW POC
2.1 Apr 12

Command injection in AstrBot's MCP endpoint handler (add_mcp_server function) allows authenticated remote attackers to e

CVE-2026-15501 LOW POC
2.1 Jul 12

Server-side request forgery in AstrBot's dashboard MCP Test Endpoint allows low-privileged authenticated users to coerce

CVE-2026-10213 LOW POC
2.1 Jun 01

Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skil

CVE-2026-10210 LOW POC
2.1 Jun 01

Injection in AstrBot 4.23.6 allows authenticated remote attackers to manipulate input through the `_sanitize_prompt_desc

CVE-2026-6117 LOW POC
2.1 Apr 12

AstrBot versions up to 4.22.1 allow authenticated remote attackers to bypass sandbox restrictions via malicious file upl

CVE-2026-10212 LOW POC
2.1 Jun 01

Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate th

CVE-2026-10211 LOW POC
2.1 Jun 01

Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions

CVE-2026-6119 LOW POC
2.1 Apr 12

Server-side request forgery (SSRF) in AstrBot API endpoint post_data.get allows authenticated remote attackers to perfor

CVE-2026-15500 LOW POC
2.1 Jul 12

Server-side request forgery in AstrBot up to version 4.25.2 allows authenticated remote attackers to cause the server to

CVE-2026-15499 LOW POC
2.1 Jul 12

Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization c

Share

CVE-2026-8754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy