CVE-2026-10211: AstrBot 4.23.6 Path Normalization Authorization Bypass
AstrBot version 4.23.6 contains a flaw in how it validates file system paths, allowing authenticated users to bypass access restrictions and read, modify, or delete files they shouldn't be able to access. An attacker with valid credentials can exploit this remotely without user interaction. The vulnerability has already been disclosed publicly, and exploit code may be available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-285, CWE-863
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the _normalize_rw_path function within astrbot/core/tools/computer_tools/fs.py. The function fails to properly sanitize or validate file path normalization, creating an authorization bypass. This permits authenticated attackers to escape intended directory restrictions and access files outside their permitted scope. The issue is classified as both improper access control (CWE-285) and improper authorization (CWE-863), allowing an attacker to read, modify, or delete sensitive files depending on the application's file permissions context.
Business impact
An authenticated attacker exploiting this vulnerability could access confidential data, modify critical files, or corrupt application state. In environments where AstrBot processes sensitive information or manages system-level tasks, this could lead to data exfiltration, service disruption, or lateral movement within the infrastructure. The damage is amplified if AstrBot runs with elevated privileges or has access to shared file systems.
Affected systems
AstrBot version 4.23.6 is confirmed vulnerable. Earlier and later versions should be checked against vendor advisories for exposure. No official patch status has been published by the vendor. Users should consult the AstrBotDevs repository or security announcements to determine which versions contain fixes.
Exploitability
Exploitation requires valid authentication credentials to the AstrBot instance, reducing the attack surface compared to unauthenticated flaws. However, the attack is remotely triggerable and requires no user interaction once authenticated. The public disclosure of this vulnerability means that threat actors have access to detailed attack information and may have developed working exploits.
Remediation
Immediately verify your AstrBot deployment version. If running 4.23.6, contact AstrBotDevs or check their repository for available patches or workarounds. Since the vendor did not respond to early disclosure, monitor community channels and security advisories closely. As a temporary control, restrict network access to AstrBot to trusted networks and audit user accounts with AstrBot access. Consider implementing file system access controls or containerization to limit the scope of any potential compromise.
Patch guidance
Check the AstrBotDevs GitHub repository and official documentation for security advisories and updated releases. Verify the specific version numbers of any available patches before deploying. Test patches in a non-production environment first. If no official patch is available, escalate to the vendor or community for guidance on timeline and recommended interim protections.
Detection guidance
Monitor AstrBot application logs for unusual file access patterns, particularly path traversal attempts or access to files outside expected directories. Watch for authenticated sessions making unexpected file system queries. Implement file integrity monitoring on critical files that AstrBot should not normally modify. Network-level detection should focus on AstrBot API calls with suspicious path parameters. Review access logs for authenticated users with unusual activity patterns.
Why prioritize this
Although the CVSS score is medium (6.3), this vulnerability warrants prompt attention because it combines authenticated remote exploitability with public disclosure and potentially available exploit code. The authorization bypass nature means compromise could be subtle and difficult to detect. Organizations relying on AstrBot for automation or data processing should prioritize assessment and patching before widespread weaponization occurs.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects: remote network-based attack vector, low attack complexity (straightforward path normalization bypass), requirement for low-level privileges (authentication), and impact to confidentiality, integrity, and availability within the affected system's scope. The score does not account for public disclosure or the vendor's lack of response, which are contextual factors elevating practical risk.
Frequently asked questions
Do we need valid AstrBot credentials to exploit this?
Yes. The vulnerability requires authenticated access—an attacker cannot exploit it anonymously. However, if your AstrBot instance is exposed to untrusted networks or user credentials are weak, the barrier is lower than it appears.
What should we do if we cannot patch immediately?
Restrict network access to AstrBot instances to known, trusted hosts and users. Audit and minimize the number of active user accounts. Enable detailed logging and monitoring of file system operations. Consider running AstrBot in a restricted container or environment. Monitor vendor channels for patch availability and interim recommendations.
Is this vulnerability in the CISA KEV catalog?
No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, public disclosure means exploitation is possible, so do not treat absence from KEV as a signal that the risk is low.
How long has this been publicly disclosed?
The vulnerability was published on June 1, 2026, and last modified on June 17, 2026. Depending on the current date and your deployment, threat actors may already possess working exploits. Prioritize assessment within days, not weeks.
This analysis is based on available vulnerability disclosures and public information as of the publication date. No exploit code or weaponized proof-of-concept steps are provided herein. Patch version numbers and availability should be verified directly against vendor advisories and repositories. Organizations must conduct their own risk assessment based on their specific deployment, data sensitivity, and security posture. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController