MEDIUM 6.3

CVE-2026-10210: AstrBot 4.23.6 Prompt Injection Vulnerability

AstrBot version 4.23.6 contains a vulnerability in its skill management system that allows authenticated users to inject malicious code through the prompt description field. An attacker with login credentials can manipulate how skill prompts are processed, potentially leading to unauthorized data access, system modification, or service disruption. The vulnerability has been publicly disclosed, and exploit code is available, though the vendor has not engaged with disclosure efforts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-707, CWE-74
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in AstrBotDevs AstrBot 4.23.6. Affected by this vulnerability is the function _sanitize_prompt_description of the file astrbot/core/skills/skill_manager.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the _sanitize_prompt_description function within astrbot/core/skills/skill_manager.py. Insufficient input validation on the prompt description parameter permits injection attacks when processing skill definitions. The flaw allows authenticated attackers to bypass sanitization controls and inject payloads that are executed during prompt processing. This is classified as an injection vulnerability (CWE-707, CWE-74) requiring user privileges but no additional interaction to exploit.

Business impact

Organizations deploying AstrBot 4.23.6 face insider risk and compromised automation workflows. An authenticated user—whether legitimate admin or compromised account—can inject malicious instructions into bot skills, potentially exfiltrating data, altering system behavior, or poisoning downstream integrations. The public availability of exploits lowers the barrier for opportunistic attacks. Unpatched instances become attractive pivot points within networks that rely on bot automation for business processes.

Affected systems

AstrBot version 4.23.6 is confirmed vulnerable. No vendor patch information was provided in available advisories, and the vendor has not responded to early disclosure attempts. Organizations should assume all instances of version 4.23.6 are at risk. Earlier and later versions should be verified against the vendor's GitHub repository or official documentation, as version-specific scope was not disclosed.

Exploitability

Exploitation requires valid authentication credentials, which mitigates attack surface in properly segmented environments. However, the CVSS score of 6.3 reflects the combination of network accessibility and low complexity, meaning an attacker with credentials can exploit this remotely without additional steps. Public exploit disclosure significantly elevates practical exploitability risk. Insider threat actors or attackers with compromised accounts can execute attacks with minimal technical barriers.

Remediation

Primary remediation is upgrading from version 4.23.6. Since the vendor has not released a patch and remains unresponsive, organizations should monitor the AstrBotDevs repository for security updates or consider forking/patching the code internally if the project remains unmaintained. In the interim, restrict access to the skill management interface to trusted administrators, audit authentication logs for suspicious skill modifications, and isolate AstrBot instances on network segments with restricted data access.

Patch guidance

Verify the latest available version on the AstrBotDevs GitHub repository or official distribution channels. If a patched version beyond 4.23.6 is available, test it in a staging environment before production deployment. Given the vendor's unresponsiveness to disclosure, patches may be delayed or require community-driven fixes. Review release notes and commit history to confirm injection handling has been hardened in any candidate version. If no patch is forthcoming, evaluate community forks or alternative automation platforms.

Detection guidance

Monitor for suspicious skill management activities: watch authentication logs for unusual accounts accessing skill configuration, track modifications to prompt description fields for encoded payloads or command-like syntax, and log any errors or exceptions thrown by the _sanitize_prompt_description function. Implement network detection for AstrBot instances communicating to unexpected external hosts. Review stored skill definitions periodically for anomalous prompts that deviate from legitimate bot workflows. SIEM rules should flag rapid or bulk skill modifications by non-admin accounts.

Why prioritize this

Although the CVSS score is MEDIUM (6.3), this vulnerability deserves prompt attention due to public exploit availability and vendor non-responsiveness. Authenticated attack surface is lower than unauthenticated, but in environments with credential reuse or insider threats, the risk is elevated. The injection vector targeting bot skill instructions creates secondary risks—compromised bots can amplify attacks across integrated systems. Prioritize this if AstrBot is internet-facing, manages sensitive workflows, or operates alongside critical data systems.

Risk score, explained

CVSS 3.1 score of 6.3 (MEDIUM) reflects: Network-accessible vector (AV:N), low complexity (AC:L), requirement for authenticated user (PR:L), no user interaction needed (UI:N), and single-scope impact (S:U) with limited confidentiality, integrity, and availability damage (C:L/I:L/A:L). The score appropriately captures that exploitation is straightforward for insiders but requires pre-existing access. Context-specific risk is higher given public exploit availability and unresponsive vendor—organizations should treat this above baseline MEDIUM severity in active threat modeling.

Frequently asked questions

Does this vulnerability affect AstrBot versions other than 4.23.6?

The advisory specifically identifies 4.23.6 as vulnerable. Without vendor guidance, scope for earlier or later versions is unclear. Check the AstrBotDevs repository, commit history, or reach out to the maintainer to determine if other versions are affected. Apply defensive measures to all AstrBot instances until patch status is confirmed.

How do I know if AstrBot is running in my environment?

Audit your automation infrastructure for AstrBot deployments. Check process lists, container images, and configuration management systems for references to 'astrbot' or 'AstrBotDevs'. Review application logs and network traffic for characteristic AstrBot identifiers. Scan your codebase and dependency files (requirements.txt, package.json, etc.) for AstrBot imports.

If the vendor is unresponsive, what are my options?

Options include: upgrading to a newer version if available despite vendor silence, forking and patching the code internally, evaluating community-maintained forks if they exist, or migrating to alternative bot platforms with active security support. Document your decision and timeline for remediation in your risk register.

What does an attack via this vulnerability look like?

An attacker with valid credentials logs into AstrBot, navigates to skill management, and injects code or commands into a skill's prompt description field. The malicious payload bypasses sanitization and is processed during skill execution, potentially reading sensitive data, modifying bot behavior, or triggering downstream actions. Attacks may be subtle and hard to detect without prompt auditing.

This analysis is provided for informational purposes. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability scope beyond the disclosed advisory. Organizations should verify affected versions, patch availability, and applicability to their specific deployments with the vendor or official AstrBotDevs repository. No exploit code, weaponized proof-of-concept, or attack orchestration guidance is provided herein. Consult your security team and vendor documentation before implementing remediation steps. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).