Description
A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astr_main_agent of the file astrbot/core/astr_main_agent.py. Such manipulation of the argument session_id leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is in AstrBot 4.24.2's astr_main_agent function. Manipulating the session_id argument circumvents normal authorization checks, allowing a remote attacker to access privileged functionality. This results in unauthorized access to internal services, potentially exposing sensitive data or enabling further manipulation of the bot.

Affected Systems

The vulnerability affects AstrBotDevs AstrBot version 4.24.2, specifically the astrbot/core/astr_main_agent.py file. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, and while no EPSS score is available, the public availability of the exploit suggests non‑negligible risk. The attack can be carried out remotely by altering the session_id. The vendor has yet to release a fix, and the vulnerability is not listed in the CISA KEV catalog, but real-world exploitation has been documented.

Generated by OpenCVE AI on June 1, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch for AstrBot 4.24.2 or later when it becomes available.
  • Enforce proper session ID validation in the astr_main_agent endpoint and restrict access to authorized users only.
  • Deploy an application‑layer firewall rule to block malformed session_id values.
  • Monitor system logs for unauthorized session_id activity.

Generated by OpenCVE AI on June 1, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astr_main_agent of the file astrbot/core/astr_main_agent.py. Such manipulation of the argument session_id leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title AstrBotDevs AstrBot astr_main_agent.py astr_main_agent authorization
First Time appeared Astrbot
Astrbot astrbot
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*
Vendors & Products Astrbot
Astrbot astrbot
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Astrbot Astrbot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T01:30:10.133Z

Reserved: 2026-05-31T07:14:10.540Z

Link: CVE-2026-10212

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T03:16:23.837

Modified: 2026-06-01T03:16:23.837

Link: CVE-2026-10212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T04:30:19Z

Weaknesses