CVE-2026-10212

MEDIUM

AstrBotDevs AstrBot astr_main_agent.py astr_main_agent authorization

Title source: cna

Description

A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astr_main_agent of the file astrbot/core/astr_main_agent.py. Such manipulation of the argument session_id leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-367491 | AstrBotDevs AstrBot astr_main_agent.py astr_main_agent authorization

https://vuldb.com/vuln/367491

Signature, Permissions Required signature permissions-required

VDB-367491 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/367491/cti

Third Party Advisory third-party-advisory

CVE-2026-10212 | CVE Analysis and Report

https://vuldb.com/cve/CVE-2026-10212

Third Party Advisory third-party-advisory

Submit #821923 | AstrBotDevs AstrBot 4.24.2 Insecure Direct Object Reference (CWE-639)

https://vuldb.com/submit/821923

Exploit exploit

https://gist.github.com/YLChen-007/91a7f955143099e1747424707dfad0f9

Scores

CVSS v3 6.3

EPSS 0.0021

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-639

Status published

Products (1)

AstrBotDevs/AstrBot 4.24.2

Published Jun 01, 2026

Tracked Since Jun 01, 2026