3 matches found
PYSEC-2026-285 AstrBot is vulnerable to RCE with hard-coded JWT signing keys
Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. Details AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python...
CVE-2026-10212
A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astrmainagent of the file astrbot/core/astrmainagent.py. Such manipulation of the argument sessionid leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly availab...
Directory Traversal
Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Directory Traversal via the installpluginupload handler, which parses the filename from the request body and assigns it directly to filepath without validation. An attacker can write arbitrary files t...