PT-2026-57561 · Astrbotdevs · Astrbot
Eric-A
·
Published
2026-07-12
·
Updated
2026-07-12
·
CVE-2026-15501
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
AstrBotDevs AstrBot versions prior to 4.25.3
Description
An issue exists in the MCP Test Endpoint component within the
ToolsRoute.test mcp connection() function located in the astrbot/dashboard/routes/tools.py file. A remote attacker can manipulate the mcp server config.url argument to perform server-side request forgery (SSRF), a technique where the server is coerced into making unauthorized requests to internal or external resources.Recommendations
Update AstrBotDevs AstrBot to version 4.25.3 or later.
As a temporary mitigation, restrict access to the
ToolsRoute.test mcp connection() function.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Astrbot