PT-2026-60921 · Astrbotdevs · Astrbot
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
AstrBotDevs AstrBot versions prior to 4.25.6
Description
An authentication bypass exists in the API component due to username spoofing. A remote attacker can manipulate the
Username argument within the OpenApiRoute.chat send() function located in the astrbot/dashboard/routes/open api.py file to bypass authentication mechanisms.Recommendations
Update AstrBotDevs AstrBot to version 4.25.6 or later.
As a temporary mitigation, restrict access to the
OpenApiRoute.chat send() function.Exploit
Fix
Authentication Bypass by Spoofing
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astrbot