Server-Side Request Forgery Vulnerability in AstrBotDevs AstrBot Plugin
CVE-2026-16074
Key Information:
- Vendor
Astrbotdevs
- Status
- Vendor
- CVE Published:
- 17 July 2026
Badges
What is CVE-2026-16074?
A vulnerability identified in the AstrBotDevs AstrBot version 4.25.2 affects the Plugin Update Handler component, specifically within the update_plugin/update_all_plugins function located in the file astrbot/dashboard/routes/plugin.py. This flaw allows for manipulation of the download_url/download_urls/proxy arguments, potentially enabling remote attackers to conduct server-side request forgery attacks. The exploitation of this vulnerability could lead to unauthorized access to internal resources. Reports indicate that the vendor was notified regarding this issue but has not yet provided a response.
Affected Version(s)
AstrBot 4.25.0
AstrBot 4.25.1
AstrBot 4.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
