PT-2026-57561 · Astrbotdevs · Astrbot

Eric-A

·

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-15501

CVSS v2.0

6.5

Medium

VectorAV:N/AC:L/Au:S/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions AstrBotDevs AstrBot versions prior to 4.25.3
Description An issue exists in the MCP Test Endpoint component within the ToolsRoute.test mcp connection() function located in the astrbot/dashboard/routes/tools.py file. A remote attacker can manipulate the mcp server config.url argument to perform server-side request forgery (SSRF), a technique where the server is coerced into making unauthorized requests to internal or external resources.
Recommendations Update AstrBotDevs AstrBot to version 4.25.3 or later. As a temporary mitigation, restrict access to the ToolsRoute.test mcp connection() function.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15501

Affected Products

Astrbot