Server-Side Request Forgery Vulnerability in AstrBot by AstrBotDevs
CVE-2026-15501
Key Information:
- Vendor
Astrbotdevs
- Status
- Vendor
- CVE Published:
- 12 July 2026
Badges
What is CVE-2026-15501?
A security vulnerability has been identified in AstrBot up to version 4.25.2, impacting the MCP Test Endpoint functionality. Specifically, the issue arises in the function ToolsRoute.test_mcp_connection within the file astrbot/dashboard/routes/tools.py. This vulnerability allows remote attackers to manipulate the mcp_server_config.url argument, potentially leading to server-side request forgery (SSRF). The risk is compounded by the fact that the vulnerability was publicly disclosed, but the vendor has not responded to early notifications regarding this security issue.
Affected Version(s)
AstrBot 4.25.0
AstrBot 4.25.1
AstrBot 4.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
