Description
A security flaw has been discovered in AstrBotDevs AstrBot 4.23.6. This vulnerability affects unknown code of the file /api/skills/delete of the component API Endpoint. Performing a manipulation of the argument Name results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in AstrBotDevs AstrBot 4.23.6 allows a remote attacker to manipulate the *Name* argument of the /api/skills/delete endpoint, creating a path traversal condition. This can lead to reading or overwriting files outside the intended directory, potentially exposing sensitive data or enabling further exploitation. The vulnerability is actionable from a remote context and a public exploit is available, indicating that attackers can attempt this attack without needing local access.

Affected Systems

AstrBotDevs AstrBot product, version 4.23.6, is affected. No other versions are listed as impacted, and the path involved is explicitly /api/skills/delete.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium range; the EPSS score is not available, and it is not included in the CISA KEV catalog. The vulnerability can be exploited remotely and the publicly released exploit lowers the barrier to attack. The lack of an official patch or response from the vendor increases the risk for systems that have not applied mitigations.

Generated by OpenCVE AI on June 1, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AstrBot to a version where the /api/skills/delete endpoint validates the Name parameter to prevent directory traversal.
  • If a patch is not available, restrict access to the AstrBot API by firewall rules or a reverse proxy to limit exposure to trusted IPs.
  • Sanitize and validate the Name argument in the source code, ensuring any path that is built from user input stays within the intended directory and disallows '..' and other traversal sequences.

Generated by OpenCVE AI on June 1, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in AstrBotDevs AstrBot 4.23.6. This vulnerability affects unknown code of the file /api/skills/delete of the component API Endpoint. Performing a manipulation of the argument Name results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title AstrBotDevs AstrBot API Endpoint delete path traversal
First Time appeared Astrbot
Astrbot astrbot
Weaknesses CWE-22
CPEs cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*
Vendors & Products Astrbot
Astrbot astrbot
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Astrbot Astrbot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T11:48:08.449Z

Reserved: 2026-05-31T07:14:19.847Z

Link: CVE-2026-10213

cve-icon Vulnrichment

Updated: 2026-06-01T11:47:10.477Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T03:16:24.967

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T03:30:18Z

Weaknesses