Improper Authorization in AstrBotDevs AstrBot Scheduled Task Handler
CVE-2026-15499
Key Information:
- Vendor
Astrbotdevs
- Status
- Vendor
- CVE Published:
- 12 July 2026
Badges
What is CVE-2026-15499?
A security flaw has been identified in the Scheduled Task Handler of AstrBotDevs AstrBot prior to version 4.25.2. This vulnerability arises from the improper authorization within the FutureTaskTool.call function of the cron_tools.py file. A manipulation of the argument payload['note'] allows for unauthorized access and remote exploitation, potentially compromising sensitive operations. Despite efforts to alert the vendor about this exposure, no response has been received, raising concerns about the security of the affected product and the urgency of implementing protective measures.
Affected Version(s)
AstrBot 4.25.0
AstrBot 4.25.1
AstrBot 4.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
