CVE-2026-6119 - Vulnerability Details

- AstrBotDevs AstrBot API Endpoint post_data.get server-side request forgery

Description

A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function post_data.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-12

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The function post_data.get in the AstrBot API endpoint enables an attacker to craft requests that the server will forward to any target within or outside the network. This can lead to unauthorized access to internal services, data exfiltration, or further compromise of internal resources. The vulnerability is a classic SSRF flaw, categorized under CWE‑918, and allows the attacker to influence outbound traffic initiated by the server.

Affected Systems

AstrBotDevs AstrBot versions up to and including 4.22.1 are affected. Users running any release within this range are vulnerable and should review their deployment for the presence of the impacted API endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. Publicly available proof‑of‑concept code exists, and the flaw can be exercised remotely via the API, implying a non‑trivial exploitation potential. EPSS data is not provided, and the vulnerability is not catalogued in the KEV list. The likely attack vector involves sending crafted payloads to the vulnerable endpoint from an exposed network or malicious actor controlling API traffic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AstrBotDevs

AstrBot

affected

Version	Status	Constraints
`4.22.0`	affected	—
`4.22.1`	affected	—

No data.

Vendor Product Confidence Versions

Astrbot

95%

Version	Status	Scheme	Platform
`4.22.0`	affected	semver	—
`4.22.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update AstrBot to a release newer than 4.22.1 as soon as a patch is available
If an upgrade cannot be performed immediately, restrict the API endpoint so that it only accepts requests from trusted IP ranges and block outbound requests to untrusted networks
Enable firewall or proxy rules to monitor and log all outbound HTTP/HTTPS traffic originating from the server
Apply least‑privilege principles to the API credentials used by AstrBot
Regularly consult the AstrBot issue tracker and vendor advisories for new security releases

Generated by OpenCVE AI on April 12, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/AstrBotDevs/AstrBot/
https://github.com/AstrBotDevs/AstrBot/issues/7171
https://vuldb.com/submit/792661
https://vuldb.com/vuln/356979
https://vuldb.com/vuln/356979/cti

History

Tue, 14 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 12 Apr 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function post_data.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		AstrBotDevs AstrBot API Endpoint post_data.get server-side request forgery
First Time appeared		Astrbot Astrbot astrbot
Weaknesses		CWE-918
CPEs		cpe:2.3:a:astrbot:astrbot::::::::
Vendors & Products		Astrbot Astrbot astrbot
References		https://github.com/AstrBotDevs/AstrBot/ https://github.com/AstrBotDevs/AstrBot/issues/7171 https://vuldb.com/submit/792661 https://vuldb.com/vuln/356979 https://vuldb.com/vuln/356979/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Astrbot Astrbot

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-12T05:00:20.093Z

Updated: 2026-04-14T16:33:26.198Z

Reserved: 2026-04-11T08:50:24.541Z

Link: CVE-2026-6119

Vulnrichment

Updated: 2026-04-14T15:18:13.414Z

NVD

Status : Deferred

Published: 2026-04-12T06:16:21.927

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6119

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T12:56:14Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object