Description
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in AstrBotDevs AstrBot allows an attacker to gain unauthorized access by exploiting hard‑coded credentials present in the auth.py file of the Dashboard component. The weakness corresponds to CWE-259 and CWE-798 and enables an attacker to log in without knowledge of any user credentials. This elevates the confidentiality and integrity exposure for systems using the affected version by granting full administrative control over the dashboard and its underlying services.

Affected Systems

The issue affects AstrBotDevs AstrBot releases up to and including 4.16.0. The vulnerability resides in the Dashboard module, which is commonly deployed as the central web interface for AstrBot. Instances of AstrBot running in any environment—cloud, on‑premises, or edge—are potentially impacted if they have not applied a fix or upgraded to a later release.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, as public disclosures state that the exploit can be initiated externally. An attacker can exploit the hard‑coded credentials to access the dashboard from any network that can reach the service, provided no network restrictions are in place. Once accessed, the attacker can manipulate settings, view logs, and potentially compromise other components of the AstrBot installation.

Generated by OpenCVE AI on May 1, 2026 at 23:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade AstrBot to a version where the hard‑coded credentials issue is fixed.
  • If a patch is unavailable, modify or delete the default credentials in the auth.py file and ensure that authentication requires a strong, unique password for each account.
  • Limit exposure of the Dashboard UI by restricting its accessibility to trusted IP addresses or through a VPN and monitor authentication logs for anomalous login attempts.

Generated by OpenCVE AI on May 1, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title AstrBotDevs AstrBot Dashboard auth.py hard-coded credentials
First Time appeared Astrbot
Astrbot astrbot
Weaknesses CWE-259
CWE-798
CPEs cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*
Vendors & Products Astrbot
Astrbot astrbot
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Astrbot Astrbot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T11:30:15.357Z

Reserved: 2026-05-01T06:07:28.530Z

Link: CVE-2026-7579

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-01T12:16:17.027

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses