Skip to main content

Astrbot EUVD-2026-21715

| CVE-2026-6119 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-12 VulDB
SSRF Astrbot
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 12, 2026 - 06:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 12, 2026 - 05:49 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 05:45 euvd
EUVD-2026-21715
Analysis Generated
Apr 12, 2026 - 05:45 vuln.today
CVE Published
Apr 12, 2026 - 05:00 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function post_data.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery (SSRF) in AstrBot API endpoint post_data.get allows authenticated remote attackers to perform arbitrary HTTP requests from the server, potentially exposing internal services or enabling data exfiltration. AstrBot versions up to 4.22.1 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to AstrBot API
Delivery
Craft post_data.get request with internal URL
Exploit
Server issues SSRF request
Execution
Retrieve internal service response
Impact
Exfiltrate sensitive data
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment CVSS 6.3 (Medium) with CVSS:3.1/AV:N/AC:L/PR:L indicates network-accessible vulnerability requiring low privileges (authenticated user) and low attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user of AstrBot crafts a request to the post_data.get API endpoint with a malicious URL parameter pointing to an internal service (e.g., http://169.254.169.254/latest/meta-data/ for AWS credentials, or http://internal-admin:8080/). The vulnerable endpoint processes this parameter without validation and makes an HTTP request to the attacker-specified URL, returning the response to the attacker. …
Remediation No vendor-released patch identified at time of analysis; the project has not responded to early notification. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-21715 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy