CVE-2026-10213: AstrBot 4.23.6 Path Traversal in API Endpoint
AstrBot version 4.23.6 contains a path traversal vulnerability in its API endpoint that handles skill deletion. An authenticated attacker can manipulate the Name parameter to traverse the file system and read or modify files outside the intended directory structure. The vulnerability is network-accessible and does not require user interaction beyond the attacker having valid credentials. Public exploit code is available, increasing the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in AstrBotDevs AstrBot 4.23.6. This vulnerability affects unknown code of the file /api/skills/delete of the component API Endpoint. Performing a manipulation of the argument Name results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10213 is a path traversal vulnerability (CWE-22) affecting the /api/skills/delete API endpoint in AstrBot 4.23.6. The flaw exists in the handling of the Name argument, which fails to properly sanitize or validate user-supplied input before using it in file system operations. By injecting path traversal sequences (such as '../'), an authenticated attacker can escape the intended directory context and access arbitrary files on the server. The CVSS 3.1 score of 5.4 (MEDIUM) reflects the requirement for authenticated access, though both confidentiality and integrity impacts are possible depending on file permissions and server configuration.
Business impact
Organizations running AstrBot 4.23.6 face risk of unauthorized file access and modification. An insider or compromised account holder could read sensitive configuration files, extract credentials, or modify application logic to establish persistence or escalate privileges. The availability of public exploit code shortens the window between discovery and active attack attempts. The vendor's non-responsiveness means patches may be delayed, leaving organizations in a prolonged vulnerable state if they depend on AstrBot for critical functionality.
Affected systems
AstrBot version 4.23.6 is confirmed vulnerable. The vulnerability is specific to the /api/skills/delete endpoint and requires an attacker to have valid API authentication credentials. Any deployment of this version exposed to internal or external networks where untrusted users possess or can obtain valid credentials is at risk.
Exploitability
This vulnerability rates as moderately exploitable in practice. It requires authentication, which raises the barrier slightly compared to unauthenticated remote code execution flaws. However, public exploit code has been released, removing the need for custom development or deep technical expertise. Attackers with any valid API credential—whether obtained through phishing, insider access, or credential compromise—can immediately attempt exploitation. The simplicity of path traversal payloads means exploitation requires minimal sophistication.
Remediation
Immediately identify all instances of AstrBot 4.23.6 in your environment. Check the AstrBotDevs project repository or official channels for patched versions released after this vulnerability was disclosed in June 2026. If updates are available, schedule patching as high priority given the public exploit availability. Until a patch is deployed, consider implementing network segmentation to restrict access to the /api/skills/delete endpoint to trusted internal networks only, and audit API credential usage to detect unauthorized access attempts. Credential rotation for API users is prudent if compromise is suspected.
Patch guidance
Contact AstrBotDevs or consult their official repository for patched releases. Given the vendor's lack of response noted in the vulnerability record, verify patch availability against their GitHub or official documentation before assuming a fix exists. If no patch is available from the vendor, prioritize preventive controls: restrict endpoint access via API gateway rules, enforce strict input validation at the application layer if source code access permits, and monitor for exploitation attempts. Consider engaging the vendor directly or evaluating alternative tools if a timely fix is not provided.
Detection guidance
Monitor API logs for requests to /api/skills/delete containing suspicious Name parameters with path traversal sequences ('../', '..\'', or URL-encoded variants '%2e%2e/'). Detect failed and successful file system access attempts outside the expected skills directory. Watch for unusual file read or write operations initiated by API processes or service accounts running AstrBot. Network detection can identify requests to this endpoint from unexpected source IP addresses or users with unusual access patterns. File integrity monitoring on configuration and credential storage directories will alert if modification occurs.
Why prioritize this
While the CVSS score is MEDIUM (5.4), prioritization should be elevated due to three factors: (1) public exploit availability dramatically increases real-world attack likelihood; (2) the vendor's non-responsiveness creates uncertainty about patch timelines; (3) path traversal can lead to configuration file disclosure or malicious code injection if write access is achieved. Organizations should treat this as a near-term remediation target, especially if their deployment handles sensitive data or sits in a trust-rich network segment.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects authentication requirement (PR:L), low attack complexity (AC:L), and network accessibility (AV:N). No confidentiality impact is listed in the vector, though path traversal inherently enables file reading; the score may be conservative. Integrity and availability impacts are both low (I:L, A:L), reflecting the limited scope of direct damage per exploitation. The score does not account for public exploit availability or vendor non-responsiveness, which should weigh into organizational risk decisions. Real-world risk is likely higher than the base CVSS suggests.
Frequently asked questions
Do I need valid credentials to exploit this flaw?
Yes. The CVSS vector indicates PR:L (Privileges Required: Low), meaning an attacker must possess or obtain a valid API credential to trigger the vulnerability. This could be a legitimate user account, a compromised credential, or a service account. However, if your AstrBot instance is accessible to untrusted users or if credentials are poorly managed, this barrier is weak.
What files can an attacker read or modify?
An attacker can access any file readable or writable by the AstrBot process user account. Typical targets include configuration files (which may contain database credentials), API keys, environment variables, or application source code. The exact impact depends on your server's file permissions and what sensitive data exists on the same system.
Is there a workaround if I cannot patch immediately?
Yes, consider: (1) restricting network access to the /api/skills/delete endpoint via firewall or API gateway rules; (2) rotating all API credentials and enforcing strong access controls; (3) implementing Web Application Firewall (WAF) rules to block requests with path traversal sequences; (4) running AstrBot with minimal file system permissions. However, these are defensive measures, not fixes—patching remains essential.
Why hasn't the vendor responded?
The vulnerability record states the vendor was contacted early but did not respond. This may indicate resource constraints, abandonment of the project, or miscommunication. Verify the vendor's official channels (GitHub, support email, security contact) to confirm patch availability. If no response or patch is forthcoming, consider escalating to the vendor's security team or evaluating alternative solutions.
This analysis is based on publicly available vulnerability data and the vendor's published description. No independent verification of the affected version scope or patch availability has been performed by SEC.co. Organizations should verify all patch version numbers, affected product versions, and remediation steps against the official AstrBotDevs repository or vendor advisory before taking action. This explainer does not constitute security consulting or a comprehensive risk assessment for your specific environment. Consult with your security team and vendor to determine the urgency and approach for your deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-10278MEDIUMPath Traversal in ishayoyo excel-mcp – Exploitation, Detection, and Remediation