PT-2026-60921 · Astrbotdevs · Astrbot

·

CVE-2026-16076

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v2.0

6.5

Medium

VectorAV:N/AC:L/Au:S/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions AstrBotDevs AstrBot versions prior to 4.25.6
Description An authentication bypass exists in the API component due to username spoofing. A remote attacker can manipulate the Username argument within the OpenApiRoute.chat send() function located in the astrbot/dashboard/routes/open api.py file to bypass authentication mechanisms.
Recommendations Update AstrBotDevs AstrBot to version 4.25.6 or later. As a temporary mitigation, restrict access to the OpenApiRoute.chat send() function.

Exploit

Fix

Authentication Bypass by Spoofing

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-16076

Affected Products

Astrbot