Description
A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 4.23.6 is recommended to address this issue. The patch is identified as aaec41e5054569ceaa1113593a34da7568e2d211. You should upgrade the affected component.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the post_file function of AstrBotDevs AstrBot’s File Upload Handler (chat.py). The vulnerability allows an attacker to supply arbitrary filenames, causing the server to write or overwrite files outside the intended upload directory. This can enable the upload of malicious scripts or overwrite critical configuration files, potentially granting the attacker remote code execution or unauthorized system access.

Affected Systems

All AstrBotDevs AstrBot installations running version 4.23.5 or earlier are affected. The fix is released in version 4.23.6; upgrading removes the flaw.

Risk and Exploitability

The flaw has a CVSS score of 5.3, indicating moderate severity. Although EPSS data is not available and the issue is not in CISA KEV, the attack can be launched remotely and the exploit is publicly available. The potential impact of gaining code execution depends on the underlying environment; in a web context it could lead to full compromise.

Generated by OpenCVE AI on May 17, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AstrBot to version 4.23.6 or later to apply the vendor patch that fixes the path traversal flaw.
  • If an upgrade is temporarily unavailable, restrict the upload directory to a dedicated, non-executable location and validate all filenames to remove any traversal characters before processing.
  • Ensure the web server is configured so that files uploaded to the public directory cannot be executed, for example by disabling script execution in the upload directory or using a separate application server for serving uploads.

Generated by OpenCVE AI on May 17, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 4.23.6 is recommended to address this issue. The patch is identified as aaec41e5054569ceaa1113593a34da7568e2d211. You should upgrade the affected component.
Title AstrBotDevs AstrBot File Upload chat.py post_file path traversal
First Time appeared Astrbot
Astrbot astrbot
Weaknesses CWE-22
CPEs cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*
Vendors & Products Astrbot
Astrbot astrbot
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Astrbot Astrbot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T12:15:09.708Z

Reserved: 2026-05-16T17:33:50.142Z

Link: CVE-2026-8754

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:46.107

Modified: 2026-05-17T13:16:46.107

Link: CVE-2026-8754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T16:45:05Z

Weaknesses